Yesterday around 8 pm I decided to switch on my laptop and watch a movie. The movie was in .avi format and hence a VLC player was required. I connected my pen drive
and immediately Mc Afee sent a pop-up notifying me about W32Conficker virus. My first reaction was to disconnect the internet connection. I looked into the Registry
but didn't find any thing great. Windows\System32 also didn't show any DLLs modified yesterday.
I assumed my machine was clean and re-connected to the Internet. Somehow I couldn't convince myself that Conficker hadn't done any damage to my system. I decided to
look into the network traffic. On monitoring for a long period I saw several domain pings and a few note-worthy points.
1) All ping were in-bound. None out-bound.
2) IPs of various ranges. 112.X.X.X till 118.x.x.x. Then 202.x.x.x etc.
3) I used a certain tool to trace IPs. The IP location on the world map and the network map was consistent in a very few cases. That is to say, 115.x.x.x was being shown a Shongzhong on the map but the network address was traced to Australia. Its strange! There are tools for IP jumping. I have heard of this. So I assume that is
the case here.
4) Pings were made from various companies mostly internet service providers. Form the US, China, Australia and even Singapore.
5) The first ping was made by 212.X.X.X. On tracking, the actual IP boiled down to 72.x.x.x. This IP is that of Ukraine and belongs to an organization there, named
WildPark. I have taken down the complete address of the organization. In fact, two persons from the organization have been identified as well. One of them claims to be
an Alexander Lapidus and the other is Oleg Chernov. I looked up for Lapidus on the internet and saw that people have reported him as a cyber-world scammer.6) Unsolicited connections were sought for several UDP ports, ICMP ping, MySQL, MS SQL, TCP port 8080, HTTP proxy, Microsoft-DS etc.
Folks who have worked on Conficker before have drawn conclusions after several observations that the Conficker virus could have its origins in Ukraine. If this is to
be believed then I think the 5th point stated above could act witness, a base for researchers to further work on.
Its very difficult to determine or conclude anything now. I shall keep posting further observations.
