Dear (me);
Customer ID: xxxxxxxxx
Qwest Security Services has received notification about malicious traffic
originating from this account. This means that this computer or another
computer on your network is trying to infect, attack, or gain unauthorized
access to other computers on the Internet.
This malicious traffic has been determined to be an instance of the "Conficker"
worm.
Conficker, also known as "Downadup", is a worm that disables access to web
sites related to computer security and antivirus programs, in order to prevent
removal.
Details about this worm are available at:
http://www.f-secure.com/v-descs/worm_w3 ... p_al.shtmlhttp://www.sophos.com/security/analyses ... ckera.htmlPlease see the Acceptable Use Policy at:
http://www.qwest.com/legal/usagePolicy.htmlQwest may take further action, including the suspension or termination of
your Service. Please note that if you use the Internet for Voice over IP
services (VoIP) to support Internet based calling, you will not be able
to make any incoming or outgoing calls, including 9-1-1 calls, from your
service address unless you have Internet service. Also, disconnection
of a bundled service may result in loss of you bundle discount.
Qwest recommends that you patch all Windows operating systems, as described in
Microsoft Security Bulletin MS08-067.
Please make sure that the system software is up to date, that antivirus
software is installed with current antivirus signatures, and that your hard
disk(s) have been scanned to detect and remove all viruses, worms, trojans, or
other software which allow unauthorized remote control of your systems.
Because this worm blocks access to web sites related to computer security and
antivirus programs in order to prevent removal, attempts to update or obtain
antivirus programs may fail. For this reason, Qwest and Microsoft are providing
access to the Microsoft Malicious Software Removal Tool to assist our customers
in effectively removing this worm. This tool is available at:
http://www.qwest.net/MSRTIn the event that you are unable to update your antivirus program to remove the
worm, you may need to seek assistance from a computer professional to
effectively remove the worm and update your antivirus protection. Please note
that you may need to reinstall updated antivirus software after the worm is
removed to restore protection.
Additionally, having your firewall block inbound access to TCP port 445 may
prevent future access to vulnerable systems. Please consult your firewall or
server documentation for further instructions on how to block access to this
port.
Removal tools for this worm are available at:
* Microsoft Malicious Software Removal Tool:
http://www.microsoft.com/security/malwa ... fault.mspxOr:
http://www.qwest.net/MSRT* or, Symantec:
http://www.symantec.com/business/securi ... 16-0247-99Other tools may be available through your antivirus provider.
The date, time (GMT) and IP addresses identified in our investigation
are as follows:
Date IP Additional Info
=================== =============== =======================================================
2011-07-26 15:58:49 75.173.30.2 infection => 'conficker', subtype => 'downadup', src_port => '45116', dst_port => '80', http_host => '149.20.56.34', url => 'GET /search?q=0 HTTP/1.1', http_agent => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)', dst_ip => '149.20.56.34', sourceSummary => 'Sinkhole HTTP Drone Report'
2011-07-26 15:58:49 75.173.30.2 infection => 'conficker', subtype => 'downadup', src_port => '45116', dst_port => '80', http_host => '149.20.56.34', url => 'GET /search?q=0 HTTP/1.1', http_agent => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)', dst_ip => '149.20.56.34', sourceSummary => 'Sinkhole HTTP Drone Report'
Regards,
--
Qwest Security Services
sysop@qwest.net,
abuse@qwest.netAcceptable Use Policy
http://www.qwest.com/legal/usagePolicy.htmlHigh Speed Internet Subscriber Agreement
http://www.qwest.com/legal/highspeedint ... agreement/
