Never-ending
stories have told once upon a time, but I say once upon a computer.
What time is it? Fix me time. What beast do I have to deal with, a
dragon? To continue with an obvious point that I may just be crazy.
What is the deal with all the hype about Conficker? It is really
Conficker, or just another cornflicker. The true story is this: some
things never change.

Stormy as it was, with a tornado threat in Ohio.
I was in my friend's house, yes my friend Ricky Borgloa. Ricky was not
the intelligent one, but at least he knew a little about his own
machine. He knew how to log on, check the internet, and somewhat knew
how to maintain security for his computer. What struck him?
Conficker.DRAGON. The hardest worm I dealt with. Just like a worm, the
beast tore through his operating system…oh save us Microsoft as we
cannot take it any more. Microsoft did not know anything and this worm
was not going anywhere.

A
legacy breeds into a conscious state. It was a tough dragon versus me –
a normal computer fixer, and a guru in his greatest time. Why did he
choose me to fix his computer? It could not start apparently, so
something is getting in the way, except for the worm. I booted the
machine and entered the BIOS, only to find the normal configuration, so
then I changed the boot configuration to start at DVD drive. I got my
handy Avira rescue disk and placed it in to the drive, then saved the
BIOS and exited. It rebooted. Immediately following was the boot in to
the rescue disk, where I began scanning the machine. The system saw
four viruses; this dragon downloaded four. I activated the remover and
all four were deleted successfully.

I
removed the DVD rescue disk from the drive as prompted and rebooted. I
let the machine boot up and this black screen popped up and said, "Your
system did not shutdown properly last time, would you like Startup
Repair to fix your startup issues?"
I
allowed this to occur. Startup repair fixed the boot.ini and I was
feeling good. When I finally got to boot in to Windows, a black screen
showed up and said "Beware of the dragon of Conficker – your doom now
awaits you!!!!!!!!!!!!!!!!!!!!!!"

I was scared…YES, scared! At about 9pm
it is right now, I was thinking – "okay what do I do?" Then, it dawned
on me. That was a scare tactic; this worm must also have a malware
program installed of its own on the machine. It is meant to disrupt
logons. Why? Why is this so hard?

From
SDFix to Combofix to Malwarebytes' Anti-Malware – this worm would not
move a smidgen. This abyss-like creature would not take defeat that
easy. It was all about surrendering. I looked for alternate data
streams afterward. I found two malicious data streams with the HJT ADS
Spy. I edited the HOSTS file and saw quite a few bad ones there. I did
a HijackThis scan, and deleted what looks nasty and found this entry,
which could not be removed (HJT Accessed the file, but got permissions
error Access Denied):
O4 - HKLM\..\Run: [ConfickME.AssuredClearTecholgy] "C:\Program Files\AssuredClearTech\ConfickME\Antimal.exe"

It
looked like the worm, which came from the company Assured Clearance
Techolgy, downloaded the malware. It is designed to be an anti-malware
program. I know it is rogue; I do not need a second opinion on that. It
seems like the program knew I tried to remove it. I deleted some
unknown HijackThis entry. I think it knows.

This Conficker.DRAGON worm or the anti-malware fired back a message to the desktop saying:
"To remove me, decrypt my code. ~Signed, ConfickME Mr. Dragon"

Is it that easy? Oh no. How hard is it to decrypt code? This is going to take a long time.

I
get out my handy Conficker remover disc, which was created a couple of
months ago. I installed and removed the anti-malware rogue, and the
first worm. Altogether, there were two worms, an anti-malware rogue,
and four viruses. Who knew if there is spyware on this machine! Both
worms were Conficker variants. One was Conficker.F and the other was
Conficker.DRAGON. Conficker.DRAGON is a zero-day vulnerability.

The
disc found the DRAGON to be related to Conficker.E. Conficker.E was a
translator for security programs, which attempted to change security
programs code and change the language of the programs to confuse the
user. It then would download its own anti-malware rogue that deleted
all good security programs. The disc said to reboot in to safe mode
with the disc inserted and the BOT on the disc will run through the
system and find unusual activity. It found the following unusual
activity:


----------------------------------
-Worm changed files in System32\En-US with signature: CFKmeMrDrAgOn
-Worm changed files in System32\cs-CZ with signature: CFKmeMrDrAgOn
-Worm changed files in System32\Speech\SpeechUX\SpeechUX.dll with signature: CFKmeMrDrAgOn
-Worm executed control of Svchost.exe (Exact Entry N/A) with signature: CFKmeMrDrAgOn
----------------------------------

That was the code: CFKmeMrDrAgOn
I
went to the anti-malware rogue, in to the options menu. I clicked the
advanced options tab. Then I clicked the REMOVE ME button. It asked for
the removal code from TrustedInstaller. I put in CFKmeMrDrAgOn
It
ran a command prompt BATCH file, then the anti-malware rogue
disappeared and Windows Installer popped up and said "Removed
Successfully."

I
rescanned the computer, and scanned again. Nothing bad was found. The
worm was gone. I shook hands with Ricky and said "Problem fixed!" He
said, "Thanks. Here is $200." I said thanks and left. I shouted in my
house when I got home: I AM DRAGONMASTER JAY!!!