Why is your PC so slow? In just minutes, find out why your PC is so slow. Run the free PC Pitstop Optimize 2.0 scan and receive a free custom report detailing common issues that might be keeping your PC from running at top speed. Over 100 million scans run. Scan for free now! PC Pitstop

Download a free PC-performance scan RegCure repairs your Registry and automatically makes your PC's performance like new. Remove Windows errors instantly and clean up your Registry. RegCure is an award-winning product — download a free scan now! ParetoLogic

See your ad here

By Brian Livingston

With big names like Woody Leonhard and Fred Langa writing for the newsletter every week, I haven't been writing many columns myself lately.

That gives me the time to help edit everything into one big publication for you, and also squeeze great advance information out of other publishers, like this month's free bonus download.

Many Windows Secrets readers were put in charge of entire computing systems because they knew how to use a command line or simply looked like they'd know what to do. If you've ever found yourself responsible for systems administration without a leg to stand on (or you just have a few questions), you'll find a new guide from No Starch Press to be an indispensible resource.

Windows Secrets has licensed two full chapters of Network Know-How: An Essential Guide for the Accidental Admin.

The printed book won't be available until late February, but our exclusive excerpt is available to all Windows Secrets subscribers through Feb. 25, free of charge.

To get your bonus, use the link below to visit your preferences page. Make sure your settings are the way you want them, press the Save button, and a download link will appear.

Free and paid subscribers: Set your preferences and download your bonus

Info on the printed book: United States / Canada / Elsewhere

Thanks for your support, and I hope you like this month's special bonus.

No newsletter on Jan. 29; next one'll be Feb. 5

We don't usually publish a new batch of content when a 5th Thursday of the month comes around. That happens this month on Jan. 29, which means our writers will get a week off. If some major event does occur, we'll put out a short "news update" to let you know.

Otherwise, our next newsletter will come out on Feb. 5. See you then!

Table of contents

By Woody Leonhard It's been a hellacious week for security admins all over the world: the polymorphic worm known as Downadup, Conficker, and Kido has infected millions of computers. Fortunately, you can scan, scour, and secure your systems by following four relatively simple steps.

• Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.
  
  
• Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can't get in. What a sneaky buzzard!
  
  
• If Conficker.B finds that it can't get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you'll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.
  
  
• Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target's hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.
  
  
• Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.
  
  

That last step intrigues me the most because the person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable.

The worm's tricky twist on autorun.inf

Bojan Zdrnja at the SANS Internet Storm Center detailed in this blog post how Conficker.B's autorun.inf file works. To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.

Let's say I put an autorun.inf file on an empty USB drive that includes the following command:

[Autorun]
open=ACoolProgram.exe

Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a bone-stock Vista machine, I get the AutoPlay notification message shown in Figure 1.


Figure 1. Vista's Autoplay displaying the results of a normal autorun.inf file.

On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista's Autoplay dialog. This autorun.inf file does that very thing:

[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
open=ACoolProgram.exe

When this file is placed on a USB drive that's inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.


Figure 2. Vista's AutoPlay with a slightly altered autorun.inf file.

Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it's going to open a folder when in fact it's going to run an executable program.

When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.

Guide to cleaning and preventing Conficker

As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.

I don't blindly accept F-Secure's analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.

Even though a Conficker-infected PC may not be able to access Microsoft.com — and Conficker probably disabled the PC's automatic-update function, too — getting rid of the worm is surprisingly easy.

• Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company's online password checker. If somebody other than you controls your computer's admin password, make sure that person understands the gravity of this situation.
  
  
• Step 2: Make sure you've installed the patch described in MS08-067. Open Control Panel's Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC's patches.
  
  The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn't installed, browse to Microsoft's Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.
  
  
• Step 3: Run Microsoft's Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I've heard about. The easiest way to get MSRT is through Windows Update, but if you can't get through to that service on the infected PC, borrow a computer and download the tool from Microsoft's site.
  
  
• Step 4: Disable AutoPlay. If Figure 2 doesn't convince you of the risk of using Windows' AutoPlay feature, nothing will. Simply stated, you don't need AutoPlay that much. Follow the advice in Scott Dunn's Top Story from the Nov. 8, 2007, issue for comprehensive instructions to disable AutoPlay.
  

Table of contents

By Katy Abby Everyone's tastes in cinema are different, but there are just some films that we, as members of society at large, are expected to have seen. The Star Wars epic is among the ranks of these esteemed classics. Few and far between are the folks who haven't joined Luke Skywalker and friends on their intergalactic quest to defeat the Dark Side. Every once in a while, however, you come across someone who just hasn't gotten around to it. Watch as one woman presents her hilarious, if uninformed, interpretation of George Lucas' extraterrestrial epic. (Warning: hard-core Star Wars geeks may need to avert their eyes.) Play the video

Table of contents

Are your computer's drivers up-to-date? Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers. Drivers HeadQuarters

Get your message seen by 400,000 readers Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement. Windows Secrets Newsletter

See your ad here

INTRODUCTION By Brian Livingston A free bonus download for accidental admins TOP STORY By Woody Leonhard Keep the latest worm infestation off your PC How Conficker differs from other worms The worm's tricky twist on autorun.inf Guide to cleaning and preventing Conficker WACKY WEB WEEK By Katy Abby The Force is not strong with this one

	LANGALIST PLUS By Fred Langa Fix the dreaded "Run DLL as an App" error "Run DLL as an App" error kills Control Panel Sites don't recognize browsers or add-ons A wooden stake for PC energy vampires Powerful free tool simplifies Registry edits
	BEST SOFTWARE By Scott Dunn Sites let you fix photos for free from anywhere Top choice combines features and performance Useful editing features in a simple design High-end tools come at the cost of speed This image editor is more about play than work Looks like Photoshop, tastes like chicken Phixr needs a little phixing of its own
	PERIMETER SCAN By Ryan Russell How you can end a rootkit infection (as I had to) Teenage curiosity leads to rootkit infestation When it comes to malware, freshness counts Sleuthing to root out the network hijacker A rootkit remover suitable for pros only

There's no fixed fee! Contribute whatever it's worth to you Readers who make a financial contribution of any amount by Feb. 4, 2009, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.

A portion of your support helps children in developing countries Each month, we send a full year of sponsorship to a different child. Your contributions in January are helping us to sponsor Ho Huy, a 10-year-old boy from a village in Vietnam. Plan USA channels development aid from donors to Ho Huy and his community. We also sponsor kids through Save the Children and other respected agencies. More info

More info on how to upgrade

Table of contents

• Visit our Unsubscribe page.
  

Table of contents