Jan 23 2009

Conficker Worm Hits Windows

An IT pro offers advice on how to manage what may be a very destructive worm.

A new worm commonly known as Conficker is taking center stage in tech news the past few days. Also known as Downadup, Kido or Conflicker, this worm exploits the Windows MS08-067 service vulnerability, which was patched by Microsoft several months ago. ABC News estimates the worm spread to more than 9 million of the world’s Windows-based computer systems. This could possibly be a threat on the scale of the legendary Melissa worm and I Love You virus. By all means, arm yourself with knowledge and take action now!

Details of the Attack

The Conficker/Downadup worm can propagate across network connections as well as USB memory devices. Because it can weasel its way into computers through USB devices, many organizations are disabling AUTORUN and AUTOPLAY for USB sticks.

The worm executes a multistage attack, in which it first makes hidden copies of itself, then takes steps to prevent cleanup; for example, blocking access to certain websites and Windows services. It then begins brute-force attacks to crack passwords. Finally, it uses a randomized URL on the Internet where unknown criminals await to receive data from infected computers. Possible URL names are so numerous—as many as 250 new URLs every day—that antivirus companies have given up trying to buy the host names to prevent the connection.

Conficker Symptoms

Is your computer acting ill? Although this tricky worm is hard to detect, Microsoft listed some symptoms you should watch out for. If your computer is infected with this worm, you might not experience any symptoms — or you might experience these:

  1. Account lockout policies are being tripped.
  2. Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  3. Domain controllers respond slowly to client requests.
  4. The network is congested.
  5. Various security-related websites cannot be accessed.


Details and removal instructions are available from the Microsoft Help and Support website, under Article ID: 962007, located at http://support.microsoft.com/kb/962007.

If you suspect that you are infected, or simply want to take precautionary measures, FedTech suggests you update your virus definitions for whatever antivirus software you use immediately. If you do not have antivirus software, Microsoft provides a free PC safety scan which you can find here: http://onecare.live.com/site/en-us/default.htm.

FedTech also suggests you install and manually run Windows Update on all Windows-based systems. Conficker/Downadup will break Windows automatic updates, so be sure you verify that updates have been run. At the very least, you should read Microsoft Security Bulletin MS08-067 and download the Operating System–specific patch that you find there that specifically addresses the service vulnerability. There is a separate patch for nearly every Windows OS. Installation will take less than 30 seconds on average. A reboot is required. For IT professionals, in-depth technical details about the vulnerability and the patch can be found here: http://support.microsoft.com/kb/958644.

Next, we suggest you install and run the Microsoft Malicious Software Removal Tool, which can be found here: http://www.microsoft.com/downloads/details.aspx?familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en. This is an after-the-fact removal solution — it is not a replacement for true antivirus software!

Finally, you may want to consider changing all network passwords. The stronger the password, the better. If you are in a domain, look for domain account lockout policies to be triggered. Conficker’s brute-force attack will no doubt be locking out accounts left and right.