Buffer Overflow Problem Caused By Conflicker Worm

coolcool1227
coolcool1227 ✭✭✭
edited June 2012 in Antivirus

In my office the network is infected with Conflicker worm which at intervals try to intrude in to the system, although fails to do so, but at that moment when it try to do so, Windows Generic Host Process error occurred and in the Windows Error Reporting the error is displayed as


"Faulting application svchost.exe, version 5.1.2600.5512, faulting module AcGenral.dll, version 5.1.2600.5512, fault address 0x000116e2."


I run the Bitdefender Conflicker Tool from "http://www.bitdefender.com/VIRUS-1000462-en--Win32-Worm-Downadup-Gen.html" to ensure the infection and also execute the Full system Scan, but found nothing.


I google the above said error which shows that it is due to the Vulnerability MS08-067.


Previously I installed Avast Internet Security 7, which display the pop-up about the Conflicker worm (reside in C:\Windows\system32\x) at regular intervals. So the Conflicker can intrude into the System even with Avast installed, avast able to detect it later, but no Generic Host Processor error occurred. But after the installation of Bitdefender, Conflicker failed to intrude in to the system, but the Generic Host Process Error is occuring at random intervals.


I uninstalled Bitdender from that machine and install Kaspersky Pure 2 in order to check what exactly is happening. And found that the above said Windows Generic Host Process error was caused by the intrusion of Conflicker worm which causes Buffer Overflow. Kaspersky successfully detect that intrusion and denied it and also logged it. So Kaspersky has better Buffer Overflow Protection than Bitdefender which didn't detect the intrusion thus no blocking and no logging. Avast also lacks in Buffer Overflow Protection.


This was a problem in the Beta version which I already posted there


https://my.bitdefender.com/en_us/my/?lang=e...86a633e7400017a


I know that the Beta issues are not discussed here but since there is no response from the technical support so I posted here again just to fix the issue in the final version of Bitdefender.

Comments

  • rootkit
    rootkit ✭✭✭
    edited July 2012

    Hello :)


    Actually the solution is not that simple.


    In order to remove the malware from the network, you will have to disconnect ALL machines from the internet/network, manually remove the infection(using the tool or by scanning with Bitdefender 2013) and install all Windows Updates for each machine.


    After this, make sure that you have an antivirus or an internet security suite installed on all machines, including the server and rebuild the network.


    Please report back you receive any pop-ups related to Conficker after following these instructions.


    Take care.

  • The concern is not to clean the network computers from that Conflicker worm. The main concern is that at the time of intrusion Kaspersky detect that intrusion and logged as "Denied:Intrusion.Win.NETAPI.buffer-overflow.exploit" alongwith TCP IP and Port No. whereas with Bitdefender installed the Generic Host Process Error occurred and nothing logged about that intrusion.


    I already clean the system before posting here.


    Kindly note that the Kaspersky Network Attack Blocker feature detect that intrusion and in Bitdefender I've set the following settings but of no use.


    Stealth Mode: ON


    Block Port Scan: Enable


    Network Type: Home/Trusted


    Paranoid Mode: ON


    IDS: Normal

  • Any reply would be appreciated.

  • Now I install Eset Smart Security 6 RC, which also detect that Intrusion by Conflicker Worm, and block it. For that intrusion, it also shows pop-up showing the TCP IP and Port No of the source and target PC.


    You can easily replicate the issue at your end.


    I need Technical Support in order to fix it ASAP.

  • rootkit
    rootkit ✭✭✭
    edited July 2012

    Hello :)


    Let's see if the PC is infected.


    In order to be able to further investigate the reported situation we need a bit more information from your computer as follows:


    . A BDSYS log;


    [how to GENERATE A BDSYS LOG]


    . Save and extract the BDSYS tool to a location of your choice:


    http://www.bitdefender.com/files/Knowledge.../BDSysLog_i.exe


    . Make sure you close all active applications and then run "BDSysLog_i.exe"; If you receive a firewall alert,select to Allow the application to connect;


    . Click the "Create log" button to start generating the log; A progress bar is indicating that the tool is creating the report;


    . When the small window appears with the message "Log saved" then the report is complete and a new file named "bdsyslog.zip" has appeared on your Desktop;


    . Upload that file on


    http://www.sendspace.com


    or


    http://www.mediafire.com


    and post here the download link.


    IMPORTANT:


    .During this process the Real Time Protection in Bitdefender must be temporarily disabled;


    .If you receive a Bitdefender Firewall alert to inform you that BDSysLog_i.exe tries to connect to the internet,then you need to select Allow;


    [how to DISABLE THE ANTIVIRUS PROTECTION in Bitdefender 2013]


    In order to disable the antivirus protection, please open Bitdefender and click the "Settings" button in the upper side part of the interface"; In the new window go to "Antivirus" > "Shield" tab and click on "ON" under On-access scanning. Select the time interval that suites your troubleshooting needs and click "OK". The On-access scanning should be enabled back after finishing the troubleshooting procedure.


    We will get back to you as soon as the analysis is complete.


    Have a nice day!

  • coolcool1227
    coolcool1227 ✭✭✭
    edited July 2012

    As I said before I have installed Eset Smart Security 6 RC on that PC. Is that OK or not?


    Eset also display the name of the intrusion as Worm/Conflicker which confirmed me that the said Windows Generic Host Process error is due to Conflicker worm.

  • I installed Eset temporarily and will switch back to Bitdefender again. Can I run the tool by disabling Eset?

  • rootkit
    rootkit ✭✭✭

    Hello :)


    Yes, run the uninstall tool and reinstall Bitdefender.


    Report back here the situation please.


    Take care.

  • I posted this issue in the Beta feedback, but due to delayed response from support, now I can't proceed as our Network Administrator refresh and upgrade all the systems on the network. So we have Conflicker free systems on Network at present. However you can easily replicate the said issue at your end.


    I repeat that Eset and Kaspersky notify Conflicker Intrusion along with the source IP Address and Port No (which changes every time) and the Worm name, they block it and also logged it, but with Bitdefender installed Generic Host Process Error occur and no notification about the Conflicker Intrusion at all and not even in the logs..

  • rootkit
    rootkit ✭✭✭

    Hello :)


    The issue was reported to our Labs and developers.


    After all the tests will be finished, if needed, a fix will be provided via Automatic Updates.


    Thank you very much for your feedback!

  • coolcool1227
    coolcool1227 ✭✭✭
    edited August 2012
    Hello :)


    The issue was reported to our Labs and developers.


    After all the tests will be finished, if needed, a fix will be provided via Automatic Updates.


    Thank you very much for your feedback!


    It is also requested to notify such Intrusions in detail (IP Address and Port No. etc) via Pop-ups also like others.

  • rootkit
    rootkit ✭✭✭

    Hello :)


    That could only be implemented in User Mode if the request with firewall notifications like in Bitdefender 2011 will be approved.


    Thank you!

  • Hello :)


    That could only be implemented in User Mode if the request with firewall notifications like in Bitdefender 2011 will be approved.


    Thank you!


    Definitely in User Mode, and also consider this request for detailed Notifications/Pop-up here > Separate Notification/pop-up Settings For All Modules

  • rootkit
    rootkit ✭✭✭
    edited September 2012

    Hello Omer :)


    We will continue this over here:


    http://forum.bitdefender.com/index.php?showtopic=36404


    Take care.

This discussion has been closed.