Beware Fake Conficker Alerts

Q: Is the Conficker worm making the rounds again or are the email warnings a hoax? — Leslie

A: The current crop of ‘Conficker.B ’email warnings that are purporting to be from Microsoft are in fact a hoax that’s trying to infect computers with the fake ‘Antivirus 2010’ program.

This is just another example of the creative methods that are constantly being generated to trick folks into installing fake security software onto their computer, which then coaxes them to purchase the ‘fix’ for a fake infection.

A recent study claimed that over 250 different types of ‘scareware’ programs are in circulation and this is just the most recent attempt to get people to give up credit card information for a fake infection.

In general the subject line refers to a ‘Conficker.B Infection Alert’ and the body of the message reads:

Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected. To counteract further spread we advise removing the infection using an antispyware program. We are supplying all affected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.


Microsoft Windows Agent #2 (Hollis)

Microsoft Windows Computer Safety Division

The message is accompanied by a file attachment that has varying names, but usually has the .zip extension.

If you are paying attention, you should be able to spot many red flags from this message.

The first one is the date format (18/10/2009) which is not common in the U.S. and the second is the poor grammar (unusually rapidly).

What isn’t as obvious to non-technical users is that Microsoft would never be contacted by your Internet provider if your network was truly infected. If anything, your Internet provider would shut your connection down or disable your ability to send email if your system was infected with many of the silent malware programs that silently spew out spam.

Microsoft would never send a file attachment (they always use links back to their Web site) and you should never trust any .zip files (compressed files that could contain virtually anything inside) unless you are absolutely certain of the contents.

Finally, I have yet to see any official Microsoft email messages that had a salutation that started with ‘Regards’ and there is no such thing as the ‘Microsoft Windows Computer Safety Division.’

The only security warnings that you will ever get emailed to you from Microsoft would come as a result of you pro-actively signing-up for their ‘Security Bulletins’ and the format of the messages always starts with “Begin PGP Signed Message.”

A good practice for the future whenever you receive any suspicious email warnings is to copy the first paragraph and paste it into Google as a search. If the information is legit, you will find Web sites that will confirm the information and if it’s a fake, you will quickly get confirmation as well.

Ken Colburn
Data Doctors Computer Services
Data Doctors Data Recovery Labs
Data Doctors Franchise Systems, Inc.
Weekly video tech contributor to
Host of the award-winning “Computer Corner” radio show

New Ransomware More Likely Than Conficker

Q: I have a popup telling me that I am infected and to buy this software or that I need to run a scan when my current PC-Cillin is running a scan. What is this worm called and can you tell me how to remove it? — Jim

Your description sounds like the long-running ‘scare-ware’ program generally calling itself AntiVirus 2009 (formerly AntiVirus 2008).

This family of scams has been very successful in fooling folks into paying for relatively useless software and the stakes are starting to get higher.

The most recent variations will attempt to convince you that your My Documents folder is corrupted and offers a free “fix” to repair the problem.

Once again, this is a scam to get you to install a rogue program that, in this case, actually ‘encrypts’ your My Documents folder and then will hold you hostage when you try to get back into your files.

The ‘ransom’ for giving you the key to unlock the encryption is $50, which is why the security community refers to this type of malware as ‘ransom-ware'(if you get infected with this scam, DON’T pay the ransom! Unlock tools have been posted around the Internet or consult a professional).

The authors of these programs used a generic sounding name (AntiVirus 2009) which is used by many companies and boxes that look a lot like they were generated by the Windows operating system.

This combination is fooling a lot of users into thinking that the warnings are legit.

In your case, if the warnings are not coming from PC-Cillin (Trend Micro) then you know that you should be suspicious. Likewise, users that have installed A/V software from companies like Norton, Webroot, McAfee, Panda or any of the major vendors should only heed warnings that are generated by the specific program that was installed as the protection system.

Paying attention to the details of the warnings is the best way to sidestep these types of scams. In addition to making sure that a warning message is coming from your A/V program, look at the header (usually the blue bar at the top of the warning box) to see if it has the name of your program in it.

If you see things like FreeWebScanner or FreeScan or FreeAntiVirusScan or anything other than your security software’s name, don’t respond (click the X in the top right corner).

In order to get these pop-ups in the first place, someone has likely ventured into fringe websites (gambling, adult content, hacker sites, warez software key sites, etc.), downloaded files from a file sharing network like LimeWire or KaZaa or fallen for one of the many new e-mail or social media video scam messages.

If you get any kind of message saying that an embarrassing video of you is up on YouTube or checkout this sexy video of a girl, etc. and when you go there to see the video, you are prompted to update your Flash player or video ‘codec’, don’t fall for it (unless you are just getting started with a new installation, you have everything you need to see online video already).

Your chances of getting ‘infected’ by the AntiVirus 2009 scam is exponentially higher than every getting infected by any of the Conficker worms that captured the world’s attention last week because it relies on gullibility.

As with all infections, the more you pay attention to what you are clicking on and the more suspicious you are of everything that you see, the less likely you will become a victim of these scams.

The bad guys know that you aren’t paying attention out there and they are getting better at distracting those that aren’t constantly on their guard, so don’t let them fool you.

Ken Colburn
Data Doctors Computer Services
Data Doctors Data Recovery Labs
Data Doctors Franchise Systems, Inc.
Weekly video tech contributor to
Host of the award-winning “Computer Corner” radio show


Conficker Hype Or Hurt?

No April Fools’ stuff today. Sorry, just not doing it this year. Yet despite my own wish not to participate, I am finding it interesting how many people are downplaying the issue of the Conficker Worm. Surely it cannot be that bad, right? Uh, hello, Blaster Worm, anyone?

What so many people clearly fail to realize is that this is a relatively simple problem that took place with a really foolish group of individuals in some very important positions. Back when the Blaster Worm was shutting down DMVs and turning hospital PCs into rebooting headaches, I found out just how unprepared some IT departments really are. Note that I did not forget about court houses that were also affected.

Why would I say such a thing? Because with the otherwise benign Blaster Worm, the patch was made available by Microsoft LONG before the stupid thing ever became a problem. End result? Countless PCs all over the place were inflicted with a lot of down time and lost productivity was had everywhere it seemed like.

Fast forward through today. The Conficker worm also had a means of being patched over long before April 1st. Yet like with the Blaster Worm, I will be taking bets that we will, again, see lost productivity assuming the worm is later loaded with a payload that creates lots of problems.

It never ceases to amaze me how people cannot wrap their minds around such an obvious thing. Clearly, this worm is more of a lesson in stupidity than anything. This time, like with Blaster, we will once again have an opportunity to see how many system administrators were short-cutting on those system updates and how many have been doing their jobs. Network management: it just is not that difficult! If it was, everyone in the world would be going through these types of problems.

As a Linux user, I will be watching with great interest as I will be unaffected. But to be clear, this is not a Microsoft problem. No, the fix is there, it is just a matter of making sure the fix has been applied. Should be interesting…

How Do I Know If I’ve Got The Conficker Virus?

Q: What is the April 1st virus that everyone is talking about and how do I tell if I am infected? — Kevin

A very stubborn Internet worm known as the Conficker (aka Downup, Downadup & Kido) has been in circulation since late 2008 and specifically targets most of Microsoft’s operating systems.

The third generation of this pest is being labeled Conficker C and it is far more dubious than the previous two versions.

The primary intent of the Conficker worm family is to infect computers with an agent that will turn them into a ‘zombie’ on a large network of infected computers referred to as a botnet.

Botnets are a collection of compromised Internet connected computers that can be remotely controlled by a single computer referred to as the command and control center to act as a group.

Once infected, any computer on a botnet can be given instructions from the command center to perform whatever function the remote hacker desires, including sending spam, infecting other computers or tracking keystrokes for the purposes of ID theft.

Conficker C is especially disconcerting because it is specifically designed to bypass and disable hundreds of popular security programs and websites and it has a trigger date of April 1st with a yet unknown payload.

To make things worse, Conficker C is very good at hiding from you and your security programs and has code that allows it to ‘evolve’ its ability to be detected and removed.

One of the first things it will attempt to do is turn off the automatic updates in Windows because it is exploiting a known hole in Windows. If your computer has not been patched, Conficker can take advantage of the hole and make sure your system doesn’t automatically download the patch by disabling your automatic updates.

To check if the automatic updates have been turned off, go to the Windows Control Panel and double click on the Security Center icon to get to the Automatic updates link.

If you find that your automatic updates have been turned off, it doesn’t necessarily mean that you are infected, however, if you know that it was previously set to automatically update and now it’s turned off, you would be wise to have a technically savvy person do a deeper evaluation of your computer.

The rest of the symptoms for detecting Conficker C requires a working knowledge of the Windows Registry and many of the anti-virus and security firms on the Internet have posted very detailed technical instructions for detection and removal (search Google for “Conficker C removal”).

If you don’t have a tech savvy resource available and are near any of our Data Doctors locations (, we provide free checkups to help those with concerns determine their computer’s status.

One of the many ways that your system can get infected in the first place is from the usual suspects: e-mail attachments, rogue links in e-mails or on malicious websites and from downloading files from P2P networks such as Limewire and KaZaa, but a most recent exploit seems to be where many folks are getting infected.

The popularity of online video and especially YouTube has created a new trick for malware writers to get into your system. If you click on a link that presents itself as a video, but when you go to play the video you get an alert stating that you need to update your “Flash Player” or you need a new ‘codec’, the chances are real good that it’s a trick.

If you routinely view online video and you are suddenly told you need something new to view online videos, especially from a no-name website, be suspicious.

If a message comes up saying you need a new version of the Flash Player, don’t accept the file that the website offers as an update. Instead, go to to install the latest version of the free video player, then go back and try viewing the video again.

If the same message comes up with a prompt to download an updated Flash Player, you will know it’s a scam for sure.

In the same respects, if you get a message telling you that you need a new ‘codec’ to view a video, the safe response is to take a pass until someone technical you trust can see if you’re video playback software is really that old.

Ken Colburn
Data Doctors Computer Services
Data Doctors Data Recovery Labs
Data Doctors Franchise Systems, Inc.
Weekly video tech contributor to
Host of the award-winning “Computer Corner” radio show

OK Corral Shootout Coming To Cyberspace On April 1st, 2009

For those who may not be familiar with the tale of the OK Corral, it happened back in 1881 in Tombstone, Arizona. The famous gunfight featured a host of characters with Wyatt Earp, his brothers Virgil and Morgan Earp, plus Doc Holiday on one side. These four went up against fought the Clantons and McLaurys at what was known as the OK Corral. Accounts vary as to what actually happened but all agree that it was a bloody day.

So we now have another shootout brewing, but this time the battle will take place on the Internet. On one side there is Microsoft who is leading a group of security professionals. On the other side are the people who wrote the Conficker bug that is getting ready to explode on April 1st, 2009. It is estimated that the virus has infected some 3 to 12 million computer systems with its payload. 

In an article from USA Today it states that there is little the good guys can do to stop the Conficker bug.

Conficker’s controllers have set a date for what amounts to a cyber-shootout at the OK Corral. Next Wednesday — April Fools’ Day — millions of infected PCs, called bots, will begin reporting for further instructions, presumably to begin spreading spam, stealing data or carrying out online scams. And there appears to be little the good guys can do to cut off such communications.

“We have not yet begun to feel the real impact of Conficker,” says Paul Henry, researcher at security firm Lumension. “We may soon be at the whim of those in control of what has emerged as a formidable army of infected machines.”

Vintage worm

Conficker requires no action on the part of the PC user to spread. It’s a throwback to self-replicating worms that scanned the Internet for PCs displaying known — and unpatched — Windows security holes.

Now here comes the fun part. Since April 1st is known as April Fools Day, this may turn out to be nothing more than a hoax. Or is it? 

One of the simplest ways to avoid infection is to not log onto the Internet on April 1st. I have switched over to using Google’s Chrome browser since it seems the most secure browser as of today. Even the hackers gave up trying to break Chrome since it uses a ‘sandbox’ approach. 

What are you doing to protect your computer just in case the worm does attack?

Comments welcome.


March 13, 2009 – Virus Set To Call Home To Southwest Ailrines

According to a blog entry at Sophos, if you are scheduled for a flight on Southwest Airlines on March 13th, you may have trouble logging in online. It seems that the virus known as Confickeris scheduled to call home to for further instructions. But the virus won’t receive any directions. Instead the site which is owned by Southwest Airlines will redirect the traffic to Southwest Airlines. If this happens, than the site could suffer a denial of service attack.

According to Sophos in their blog posting, it also states that:

The key sites whose visitors may indeed see a disruption to their service include:

jogli.comBig Web Great MusicMarch 8
wnsux.comSouthwest AirlinesMarch 13
qhflh.comWomen’s Net in Qinghai ProvinceMarch 18
praat.orgPraat: doing phonetics by computerMarch 31

Other, less frequented, sites of interest that appeared in the list include “The Tennesse Dogue De Bordeaux” dog breeders site (, March 14) and the coy “Double Super Secret Message Board” site (, March 11) — dogs and secrets won’t be moving too well on those days. One last domain turned out to be infected with Troj/Unif-B (site not listed here for obvious reasons) — so I will go ahead and block that one all the same!

As for options, the simple solution, say for Southwest Airlines, could simply be to stop resolving to for the day — so long as that wouldn’t hinder any of their operations. Another option would be to filter out the Conficker HTTP requests of the form http://<domain>/search?q=<N>, though this requires that (a) your site does not currently use a “search” page (with no file extension) and more importantly (b) the filtering decision is made at a point along the network path that can cope with the load. This is a bit trickier as HTTP is an application layer protocol — a network connection must already be established before the two endpoints start speaking HTTP — necessitating a highly provisioned web proxy be used on the front lines to (1) establish the connection (TCP 3-way handshake), (2) examine the HTTP request, and (3) drop Conficker requests and pass along any remaining (presumably legitimate) requests further downstream. In any case, I have contacted the owners of the domains listed above to draw their attention to this matter.

Time will tell whether making it on the Conficker list will be viewed with prestige or lowliness. Perhaps stories of surviving a Conficker call-home flood will carry a badge-of-honor in the network operations world. I do know one thing for certain though… I’m glad did not make the list.

MikeW, SophosLabs, Canada

So hopefully Southwest Airlines won’t experience any problems.

Comments welcome.