Conficker finally beat

[winggapo]

As a start off I want to say that I really hate to post this because I already know the response that I will get from the "techies" out there. I have already got the response from the local tech guys here at my pc shops in Las Vegas. That having been said, I only write this in the hope that it will allow someone else who has basically shelved his computer equipment as no longer being fuctional and given up or has taken it down to the local repair shop and been blasted with a huge bill to wipe everything clean.
I beat conficker D..at least, I think it was variation "D" from the descriptions I have read online and the symptoms that my pc had. I had written a thread a month or so back and was politely advised to use hijack this and mail the infor to the admin here for support. Only problem was that if I could have gotten into windows in ANY MODE I would not have written for support in the first place. I hade multiple drives corrupted, even drives that had been in storage and was told by the local techies that the virus had been hiding in the scheduled tasks or system restore areas of windows for maybe over a year and had all activated at the same time. Upon asking if the virus could corrupt the BIOS or attach to some other memory I was informed about how any virus that corrupts the BIOS shuts down the machine (not alters it) and that a virus cannot write to a component that discharges on boot down. Acting upon that as a matter of faith I spent a month working with emergency windows boot up discs and virus scanners only to get blind sided every time the machine bootsed back up.
Finally I decided that maybe some of the techies don't know as much as they think and went about removing what memory components I could to keep the machine operating and yet limit the amount of available memory for signatures to be stored on. I reduced the RAM to the mininum for XP to boot from that I had on hand and replaced the video card with an older card with little on board memory. Suddenly, the virus scans scanned through the virus on reboot. In a couple of hours I had a drive cleaned out and then I did a second drive and a third.
As a grand finale experiment I took a brand new 160gb Maxtor drive, never been formatted, and a brand new XP operating system disc, never been registered, and put a new OS on the disc. I downloaded McAfee, and Symatec scan alone scanner, PC tools Spyware doctor, and PC tools Registry Mechanic and scanned it all cleaned. I replaced the RAM I had removed and was reinfected with Conficker in two seconds flat. The software was all installed from discs, the harddrive never went online to acquire an infection source.
So here's the key, for all those that have machines inoperable...CONFICKER WRITES TO RAM. I know, I know....I can hear everyone laughing. I got the same laughter from the tech guys at Frys, at Best Buy and my own tech guy who all told me that it is impossible to write to a RAM stick as it deletes all energy on boot down. Some even inferred that I did not know what a RAM membory was. But, when I offered to bring the RAM membory sticks to them and let them put them in a compatable system and boot them up...where that's where they all drew the line with a "we're not that curious".
For information the RAM Sticks that were written to were 1gb Mushkin 4200, whereas two sticks of 512mb Kingston were unaffected. This is not an advertsiement for one memory type over another, as it could be that the signatures just needed more that 512mb to effectively write to.
Everyone that knows anything about RAM will say I made this up...and you can ignore this thread. But someone who is infected and can't come to terms, I just gave you a way to fight back. All the tech guys will laugh at writing to RAM as being impossible, but somewhere out there is some idiot who didn't get the message and went a head and did it anyway.
This is a bad and serious bug and this site does not give it enough credit as it has shut down components of the French Navy and German militray computers last month and appears to be coming from a server in the Ukraine according to what I can dig up online. You have not seen the end of this one. My only proof to how I beat it is that I have two sticks of RAM sitting in my drawer labled "do not boot, Conficker" written on them I can vouch that its accurate.

 

[oldskool]

RAM doesn't "get written to", it is a "volatile" type of memory, it clears completely after system shutdown. It doesn't keep things in memory when the power is off. Hard drives are written to, they are "persistent" storage type devices; the sectors on a hard drive are magnetically altered. But as for RAM (SDRAM, DDR-2, etc) it clears when shut down.

 

[C0RR0SIVE]

Conflicker was already beaten some time ago, several companies released special scanners that would scan for conflicker, I think you have some other issues at hand. BUT there is only ONE piece on the ram that ANYTHING can ever be "written" to and that is the SPD chip on there, but it does NOT contain enough room for a virus to live.

 

[KSoD]

Actually i would wager to guess that the systems BIOS is affected and that the new drive got infected cause the Confiker is being stored in your CMOS. After installing the OS the system got infected cause you never flashed your BIOS to clear the infection.

They are right saying that RAM cant be written to. Everything that is stored in your RAM is cleared. But if it affects your BIOS it can be stored on that PC cause it can be saved in the CMOS and initalized at any time.

I read your post and while i can see why you would think that, the only thing i never see you mention is flashing your BIOS or clearing your CMOS. Which leads me to think this. As that is what can happen.

Clear your CMOS, Flash your BIOS and try it again. I would wager to guess that you will not be infected at that point.

 

[winggapo]

As I said, I already knew all of that.....

It is true that I did not flash the BIOS after being told from the tech guys at the shop that a virus could not write to BIOS without shutting it down. I had pretty much discounted that and was heading in that direction though, before reducing the RAM and stumbling on how to beat the bug. If the BIOS or CMOS was infected then the bug would still be in the machine and and subsequently I would not be sending this response to you as this is the machine and one of the infected drives that was cleaned out. Discussing this with the guys at the shop brought about the same response that would have been expected if I had just told them that I saw Bigfoot walk through my backyard, and I expected the same on this forum.

But, for anyone out there that is about to trash their pc and buy or build another one you might try this first. For all of you that have clones of your drives as I did and intend to substitute them if you get infected and happen to come across variation D...you got a big surprise coming!

As for me my only complete dollar lose was to the two sticks of RAM that I guess I will save as a souvenir and a reminder of 35 days lost to cyber turpitude.

 

[Osiris]

From what I'm getting in these posts, you are saying Conficker writes to the removable “ram”, can be removed from the system, installed on any other system and infect it. Well, first of all, Conficker doesn't work this way and second, whatever is or happens to be on the “ram” will be wiped out once it's powered down. CMOS is a different story thou and Conficker doesn't infect it in any shape or form whatsoever. There is some other variable going on here that you are skipping or looking over. If the CMOS was infected this issue would be far greater than it is right now and possibly the same with the ram which means millions of infected computers would need new ram. Conficker A is about 7 months old so it wasn't hiding in your system for a year. You say you had “D” and that was reported on March 4 2009. When this came out, so many people came here “thinking” they had Conficker. There are many viruses and such that act similar to Conficker.

At work, we had a few computers hit with it. We were missing a critical patch on older systems. Once they were quarantined, updated, scanned, etc, we were back in business. So the CMOS and RAM were not infected.

You may want to take a look here http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx#EWC

And then to add to this, there are MANY Conficker removal tools out there.

 

[winggapo]

Thank you for the link, Osiris.

After accessing the Microsoft link to Conficker I am now pretty certain from the symptoms of the virus that Conficker was the culprit, although there is always the possibility of a rider virus. The Microsoft links are somewhat dated and mostly refer to the symptoms of Conficker B. My PC had all the symptoms of Conficker B plus it also shut down the safe mode links, which is not a symptom of the B variant, but rather the D variant. The virus however does seek its server (believed to be in the Ukraine) and update once it can get online. I based my assumption not only on the symptoms, but the timing. The machine was infected, not on April 1st (April Fool's Day) as CNN had warned, but on April 15th (tax day). I related the symptoms and asked for assistance about this time and that is in my original post although I do realize that this site gets a couple of thousand hits a day so that is now old history. Basically playing with this virus is like playing a game of chess. For every move that you make to attempt to access web links or internal programs to fight it the virus makes a counter move. It does this by continually rebooting and digging itself further into the system files with each reboot. With each reboot the website or internal program that was being attempted for removal is then locked out. It will do this one at a time for each program you choose although some programs and docs disappear with the initial infection. Microsoft Word files, Excel, and Windows Defender program simply vanish as if they had never been there in the first place. If I had shut down the pc at the first signs of infection and used the Kaspersky Linux based OS virus scanner that you provide the link to in your Anti-Virus PDF manuscript I might have been able to clean it out in the first few hours. But, I played with for a couple of days as I had with other virus infections I have gotten over the years and eventually got check mated into a corner where the machine would only blue screen of death upon boot up. When you say that some of the PCs at your work were infected and easily cleaned that's probably because you had the knowledge and tools to do it and didn't play with it for a couple of days like I did. I did glean one bit of important information from the Microsoft link: since only my wife and I use the PC, my account is the admin account and so that she can download programs it has never been password protected. That has been changed now after reading from Microsoft that Conficker used a random “easy password” list to try to crack into the admin account, which for my PC was easy because we didn't even have a password.

Because of all the posts that you must peruse over daily I will reiterate what I had posted earlier. I thought I was being smart by having cloned hard drives, which in the past have been effective to fight a bug. Get a bug, simply pull the drive out, put a new drive in and then re-clone the infected drive. It has worked in the past and sure beats the heck out of long virus scanners. In this case upon pulling the infected drive and inserting a drive from storage, all the subsequent drives were also infected. That's why there was a presumption that somehow the BIOS or CMOS got infected which my tech connections told me was impossible and still be up and running. They claimed the virus had been in storage locked into the system restore points or scheduled task area and just booted in upon boot up. But, that would have been a long time…those storage drives have been in my closet for well over a year, at least one over two years. They were all infected upon boot up.

I acquired emergency recovery discs with Linux based OS symptoms and stand alone virus applications and spent a month tinkering with this trying to crack it. I will tell you, the virus has no problem shutting down a Linux based kernel. The virus simply locks it up once it detects it, then you have to go through the whole process of reloading the entire disc, and that includes the Kaspersky disc from the link on your PDF manuscript.
As for the Symantec desktop Conficker removal tool it has no problem shutting that down either. Five seconds of scan and blue screen. By trial and error I just figured that the bug has to hiding in some memory spot other than the drive. So, I replaced the video card with a slower card with less onboard RAM and pulled 2gb of RAM stick leaving 512mb to boot up the pc. If I recall correctly XP needs a minimum of 256mb to boot, so I tried to get as close to that as possible with what I had to use. I loaded and tried scanning the hard drive with the Kaspersky disc and to my utter surprise the virus scanner activated, did not lock up, and scanned completely through. After a solid month of attempts the scanner had never scanned more than five or ten seconds without locking up.
I used the emergency recovery discs I had acquired and used the virus scanners to scan and they also scanned through. The PC would still not boot up until I used the OS recovery disc recovery console option. Then the PC booted up. I ran Registry Mechanic, which was an active program on the hard drive at the time of infection, and it found 2156 corrupted registry components that it replaced. However, I could not get online because of bunch of sys. Files were corrupted and although I know how to go about replacing them, it was easier to pull my docs, game saves, photos, and videos off the drive, transfer them to one of the back up drives that I had also cleaned out, and then just reformat. That drive is the one I am currently writing this on.

After every thing was cleaned and back to normal, as an experiment, I bought a brand new 160gb Maxtor drive and a brand new XP OS service pack 2 disc and downloaded the OS to the drive. I installed McAfee, the Symantec Conficker desktop removal tool, Spyware Doctor, and PC tools Registry Mechanic and checked to make sure that they were completely functional. I did not download any modem drivers to go online with. I checked the OS folders to make sure the OS was functional as installed. I powered down the PC, removed the 512mb of RAM and installed the 2gb of Mushkin RAM that I had removed at the time of infection. I powered up the machine and the desktop appeared normal. Upon clicking the McAfee icon to scan, the machine black screened and rebooted itself. Upon reboot I clicked the Symantec Conficker removal dektop icon and the machine froze up, except for the mouse indicator. After a few minutes the desktop came back to function and I opened some random folders to see if the OS was working, and it was. I clicked the Symantec icon a second time and the machine black screened and rebooted. Recognizing these as symptoms of initial viral infection I did not proceed further. I used the Kaspersky disk to scan the drive clean and that drive is now in storage and I removed the RAM once and for all. To be honest I was really afraid that if this could infect a RAM stick then it might also go after the Processor RAM and that kind of scared me. Now it could be that the virus signatures did not attach to the RAM but that the virus just rendered the RAM unstable, but since this also a physical change that would deplete on shut down that cannot be either. The only way I know of how to blow a RAM card other than a direct short is by over clocking and then it becomes dysfunctional. This RAM worked perfect before the infection. This machine has never been over clocked.

Am I aware that RAM is a volatile memory and can not be written or burned too? Absolutely. I have read computer books on how things work and have built a half dozen desktop PCs for myself or friends, including this one. Would this make a RAM stick a way for a virus to be moved to another PC if it could be done, convert it into a portable storage device? Yes it would. Although that supposition is ridiculous because most owners of computers could not even point to where the RAM is in their computer. It would, however, provide for a permanent infection until isolated. I am aware of what I knew everyone would say. I also know what it took to clean out the PC and how it then reacted once the RAM was replaced with a new drive and OS.

So here's the bottom line: I believe that when I signed up here your Osiris handle came up as admin, or at least an admin to the site (I don't know what the pecking order is here). If that is true then shoot me an email to my private email listed on file here. I will send you the RAM…no charge….I'll pay for the shipping…I won't ask for it back. The only catch is you have to a system that can try it. These are SP2-4200 DDRAM from Muskin.
On the upside, if you are correct then you get some free RAM. On the downside, if someone has proved to be smarter than you think can be done, you get to be the proud Papa of a bouncing baby virus. The tech guys here in town would not take the challenge. “We know there is nothing on it, but we aren't going to risk it with our system” is how I believe one put it. How about you?

 

[C0RR0SIVE]

The only way to get anything to transfer via ram is to re-write the SPD chip on the stick, and that, in it self is mostly impossible with out the proper equipment, even then windows would have to read the SPD chip during boot to become infected.

Only reason a "tech" shop wouldn't do it is either time restraints, or the RAM may have appeared to be physically damaged.

 

[zmatt]

It's impossible to permanently store data in volatile memory. In flash memory it is, but your ram isn't flash, its DRAM. There is no way to write a program that would use ram in such a way to do that either. The very way ram is made requires it to have a power source to store data. Without power everything flips back to zeros.

 

[Osiris]

Thank you for the link, Osiris.

After accessing the Microsoft link to Conficker I am now pretty certain from the symptoms of the virus that Conficker was the culprit, although there is always the possibility of a rider virus. The Microsoft links are somewhat dated and mostly refer to the symptoms of Conficker B. My PC had all the symptoms of Conficker B plus it also shut down the safe mode links, which is not a symptom of the B variant, but rather the D variant. The virus however does seek its server (believed to be in the Ukraine) and update once it can get online. I based my assumption not only on the symptoms, but the timing. The machine was infected, not on April 1st (April Fool's Day) as CNN had warned, but on April 15th (tax day). I related the symptoms and asked for assistance about this time and that is in my original post although I do realize that this site gets a couple of thousand hits a day so that is now old history. Basically playing with this virus is like playing a game of chess. For every move that you make to attempt to access web links or internal programs to fight it the virus makes a counter move. It does this by continually rebooting and digging itself further into the system files with each reboot. With each reboot the website or internal program that was being attempted for removal is then locked out. It will do this one at a time for each program you choose although some programs and docs disappear with the initial infection. Microsoft Word files, Excel, and Windows Defender program simply vanish as if they had never been there in the first place. If I had shut down the pc at the first signs of infection and used the Kaspersky Linux based OS virus scanner that you provide the link to in your Anti-Virus PDF manuscript I might have been able to clean it out in the first few hours. But, I played with for a couple of days as I had with other virus infections I have gotten over the years and eventually got check mated into a corner where the machine would only blue screen of death upon boot up. When you say that some of the PCs at your work were infected and easily cleaned that's probably because you had the knowledge and tools to do it and didn't play with it for a couple of days like I did. I did glean one bit of important information from the Microsoft link: since only my wife and I use the PC, my account is the admin account and so that she can download programs it has never been password protected. That has been changed now after reading from Microsoft that Conficker used a random “easy password” list to try to crack into the admin account, which for my PC was easy because we didn't even have a password.

Because of all the posts that you must peruse over daily I will reiterate what I had posted earlier. I thought I was being smart by having cloned hard drives, which in the past have been effective to fight a bug. Get a bug, simply pull the drive out, put a new drive in and then re-clone the infected drive. It has worked in the past and sure beats the heck out of long virus scanners. In this case upon pulling the infected drive and inserting a drive from storage, all the subsequent drives were also infected. That's why there was a presumption that somehow the BIOS or CMOS got infected which my tech connections told me was impossible and still be up and running. They claimed the virus had been in storage locked into the system restore points or scheduled task area and just booted in upon boot up. But, that would have been a long time…those storage drives have been in my closet for well over a year, at least one over two years. They were all infected upon boot up.

I acquired emergency recovery discs with Linux based OS symptoms and stand alone virus applications and spent a month tinkering with this trying to crack it. I will tell you, the virus has no problem shutting down a Linux based kernel. The virus simply locks it up once it detects it, then you have to go through the whole process of reloading the entire disc, and that includes the Kaspersky disc from the link on your PDF manuscript.
As for the Symantec desktop Conficker removal tool it has no problem shutting that down either. Five seconds of scan and blue screen. By trial and error I just figured that the bug has to hiding in some memory spot other than the drive. So, I replaced the video card with a slower card with less onboard RAM and pulled 2gb of RAM stick leaving 512mb to boot up the pc. If I recall correctly XP needs a minimum of 256mb to boot, so I tried to get as close to that as possible with what I had to use. I loaded and tried scanning the hard drive with the Kaspersky disc and to my utter surprise the virus scanner activated, did not lock up, and scanned completely through. After a solid month of attempts the scanner had never scanned more than five or ten seconds without locking up.
I used the emergency recovery discs I had acquired and used the virus scanners to scan and they also scanned through. The PC would still not boot up until I used the OS recovery disc recovery console option. Then the PC booted up. I ran Registry Mechanic, which was an active program on the hard drive at the time of infection, and it found 2156 corrupted registry components that it replaced. However, I could not get online because of bunch of sys. Files were corrupted and although I know how to go about replacing them, it was easier to pull my docs, game saves, photos, and videos off the drive, transfer them to one of the back up drives that I had also cleaned out, and then just reformat. That drive is the one I am currently writing this on.

After every thing was cleaned and back to normal, as an experiment, I bought a brand new 160gb Maxtor drive and a brand new XP OS service pack 2 disc and downloaded the OS to the drive. I installed McAfee, the Symantec Conficker desktop removal tool, Spyware Doctor, and PC tools Registry Mechanic and checked to make sure that they were completely functional. I did not download any modem drivers to go online with. I checked the OS folders to make sure the OS was functional as installed. I powered down the PC, removed the 512mb of RAM and installed the 2gb of Mushkin RAM that I had removed at the time of infection. I powered up the machine and the desktop appeared normal. Upon clicking the McAfee icon to scan, the machine black screened and rebooted itself. Upon reboot I clicked the Symantec Conficker removal dektop icon and the machine froze up, except for the mouse indicator. After a few minutes the desktop came back to function and I opened some random folders to see if the OS was working, and it was. I clicked the Symantec icon a second time and the machine black screened and rebooted. Recognizing these as symptoms of initial viral infection I did not proceed further. I used the Kaspersky disk to scan the drive clean and that drive is now in storage and I removed the RAM once and for all. To be honest I was really afraid that if this could infect a RAM stick then it might also go after the Processor RAM and that kind of scared me. Now it could be that the virus signatures did not attach to the RAM but that the virus just rendered the RAM unstable, but since this also a physical change that would deplete on shut down that cannot be either. The only way I know of how to blow a RAM card other than a direct short is by over clocking and then it becomes dysfunctional. This RAM worked perfect before the infection. This machine has never been over clocked.

Am I aware that RAM is a volatile memory and can not be written or burned too? Absolutely. I have read computer books on how things work and have built a half dozen desktop PCs for myself or friends, including this one. Would this make a RAM stick a way for a virus to be moved to another PC if it could be done, convert it into a portable storage device? Yes it would. Although that supposition is ridiculous because most owners of computers could not even point to where the RAM is in their computer. It would, however, provide for a permanent infection until isolated. I am aware of what I knew everyone would say. I also know what it took to clean out the PC and how it then reacted once the RAM was replaced with a new drive and OS.

So here's the bottom line: I believe that when I signed up here your Osiris handle came up as admin, or at least an admin to the site (I don't know what the pecking order is here). If that is true then shoot me an email to my private email listed on file here. I will send you the RAM…no charge….I'll pay for the shipping…I won't ask for it back. The only catch is you have to a system that can try it. These are SP2-4200 DDRAM from Muskin.
On the upside, if you are correct then you get some free RAM. On the downside, if someone has proved to be smarter than you think can be done, you get to be the proud Papa of a bouncing baby virus. The tech guys here in town would not take the challenge. “We know there is nothing on it, but we aren't going to risk it with our system” is how I believe one put it. How about you?

I'm not the Admin, that's Trotter and Mak but I'd more than willing to test the ram, 4200 just happens to be the same ram my pc takes so I will shoot you an email and you can send them to me and I'll be more than happy to test and provide truthful results even if I am wrong in my last post.

i'll test anything, any link, any virus, whatever you want to throw at me. It would seem like they would have a test box of some sort for this type of issue, they should have been more than welcome to test but I guess not