Early Friday on January 16, 2009, the Finnish firm revised its estimate of the number of computers that had fallen victim to a new worm called Confiker (Known as Kido or Downadup as well).
The worm, which is surging dramatically during the past few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008. It disables system restore, blocks access to security websites, and downloads additional malware to infected machines. The worm uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. The worm’s algorithm generates many possible domain names every day. It concern hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. This functionality makes it impossible and impractical to shut them all down — most of them are never registered in the first place.
Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644).
Sources/references of this outbreak alert and background information:
Kaspersky Lab disinfection/removal tool: http://support.kaspersky.com/faq/?qid=208279973