What is Conficker and how to avoid it from infecting your computer?

April 3, 2009 | By | 2 Replies More

Reading time: 5 – 8 minutes

The Conficker (also known as Downadup and Kido) infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability(found in the RPC facilities) and has the ability to infect other computers via network sharing and through removable media. Microsoft has addressed the problem by releasing a patch to fix the Windows vulnerability though there are still many computers that do not have this patch installed. Hightened amount of legitimate concern remains under debate but if you are concerned, then let me walk you through the facts straight.

When installed, Conficker/ Downadup will copy itself to your C:WindowsSystem32 folder as a random named DLL file. It may also copy itself to the %ProgramFiles%Internet Explorer or %ProgramFiles%Movie Maker folder. Then, it will create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer. The infection as a result will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.

Once the infection starts running, you will no longer be able to access a variety of sites such as Microsoft.com, AVG.com and many other anti-virus vendors. It does this so that you cannot download removal tools or update your anti-virus programs. (Which similarly happened to me a couple of days ago but was able to detect it as a Trojan) And likewise these website won’t allow you because they have also detected you being a security threat or malware.

Infection of this Conficker worm may perform any of the following actions in random order:

  • Stop and start System Restore in order to remove all your current System Restore points so that you cannot roll back to a previous date where your computer was working properly.
  • Check for Internet connectivity by attempting to connect to any of the following sites:

o aol.com
o cnn.com
o ebay.com
o msn.com
o myspace.com

  • Attempts to determine the infected computer’s IP address by visiting one of the following sites:

o http://www.getmyip.org
o http://getmyip.co.uk
o http://checkip.dyndns.org
o http://www.whatismyip.com/

  • Download other files to be used as necessary.
  • Scan the infected computer’s network for vulnerable computers and try to infect them.

Some symptoms that may hint that you are infected with this malware are as follows:

  • Anti-malware software stating you are infected with infections using the following names:

o Net-Worm.Win32.Kido
o W32/Conficker.worm.gen
o Worm.Conficker
o W32.Downadup
o W32/Downadup.AL
o W32/Confick-A
o Win32/Conficker.A
o Mal/Conficker
o Worm:Win32/Conficker.B
o Win32.Worm.Downadup.Gen

(this list is helpful to determine if you are infected or not, what happened to my computer a couple of days ago have shown some vital signs I’ve cited in the next three bullet points below but looking from here based on the
malware’s extention, I have discovered that it was not Conficker but “Win32.VB.fnk” which is a Trojan)

  • Automatic updates no longer working.
  • Anti-virus software is no longer able to update itself.
  • Unable to access a variety of security sites, such as anti-virus software companies.
  • Random svchost.exe errors.

“Prevention is better than cure.” What you need to know and do.

1. If you happen to have installed the patch ( through “Microsoft Security Bulletin MS08-067 Critical” update) before Conficker came out (late in December 2008) then you were protected and still are. If you haven’t, then you must install any of the latest or critical security update found on www.windowsupdate.com. Although Windows Vista is technically vulnerable, the exploit is almost impossible to execute so that makes Conficker basically an XP problem.

2. As mentioned earlier, Conficker spreads through network shares however, a good anti-malware can detect it at such an early stage.

3. While Conficker can spread through network shares, it makes weak passwords susceptible as the worm executes a “dictionary attack”. So if you find some executables on such drives, report it and better contact the network admin. Other than that, utilize strong or even complex password combination which include letters, numbers, and punctuations.

4. Conficker can spread itself through removable drives like USB drives so be vigilant. At least at this point, again, a good anti-malware program can help.

5. Conficker has a high profile as a malware does. While a good anti-malware software is not at all perfect though has high success rate, an updated anti-virus software is intangible.

6. The inability of Windows and anti-malware programs to update themselves is just part of Conficker worm infection. In oder to avoid this, keep track of these programs and your Windows more often to ensure that they do and never leave any update uninstalled.

7. Secure yourself of a free Conficker/Downadup Cleaning Tool like the one’s listed.

* McAfee Stinger

* ESet EConfickerRemover

* Symantec W32.Downadup Removal Tool

* F-Secure F-Downadup, FSMRT, more tools

* BitDefender single PC and network removal tools

* Kaspersky KKiller

* Trend Micro

(If you use any one of the tools above to remove Conficker, immediately install the MS08-067 patch afterwards.)

* BitDefender

* Symantec

downadup scanning ip addresses

Reference Links:

F-Secure Downadup information
Windows MS08-067 Patch
Worm:Win32/Conficker.B information from Microsoft
Conficker/Downadup Worm Dubbed ‘Epidemic’

Update:  13 April 2009

While there are many information online that provides valuable resource about Conficker, one of the method that is currently increasing attention today is through the use of the Conficker Eye Chart. However, it is still recommended to follow the tips mentioned on this post.

Tags: , , , , , , , , ,

Category: security-privacy

Leave a Reply