Jan 23 2009

Conficker Worm Hits Windows

by

Jeremy Dotson is a LAN administrator for Tronair, a manufacturer of aircraft ground support equipment in Holland, Ohio.

A new worm commonly known as Conficker is taking center stage in tech news the past few days. Also known as Downadup, Kido or Conflicker, this worm exploits the Windows MS08-067 service vulnerability, which was patched by Microsoft several months ago. ABC News estimates the worm spread to more than 9 million of the world’s Windows-based computer systems. This could possibly be a threat on the scale of the legendary Melissa worm and I Love You virus. By all means, arm yourself with knowledge and take action now!

Details of the Attack

The Conficker/Downadup worm can propagate across network connections as well as USB memory devices. It executes a multistage attack, in which it first makes hidden copies of itself, then takes steps to prevent cleanup; for example, blocking access to certain websites and Windows services. It then begins brute-force attacks to crack passwords by using randomized URLs on the Internet, where unknown criminals await to receive data from infected computers.

Possible URL names are so great as many as 250 new URLs every day — that antivirus companies have given up trying to buy the host names to prevent the connection. The future use of Conficker, and its stolen data, is unknown. Experts fear the worst, which means prevention is worth a ton of cure.

Conficker Symptoms

Is your computer acting ill? Although this tricky worm is hard to detect, Microsoft listed some symptoms you should watch out for. If your computer is infected with this worm, you might not experience any symptoms — or you might experience these:

  1. Account lockout policies are being tripped.
  2. Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  3. Domain controllers respond slowly to client requests.
  4. The network is congested.
  5. Various security-related websites cannot be accessed.

Removal

Details and removal instructions are available from the Microsoft Help and Support website, under Article ID: 962007, located at http://support.microsoft.com/kb/962007.

If you suspect that you are infected, or simply want to take precautionary measures, you should update your virus definitions for whatever antivirus software you use immediately. If you do not have antivirus software, Microsoft provides a free PC safety scan which you can find here: http://onecare.live.com/site/en-us/default.htm.

You also should install and manually run Windows Update on all Windows-based systems. Conficker/Downadup will break Windows automatic updates, so be sure you verify that updates have been run. At the very least, you should read Microsoft Security Bulletin MS08-067 and download the Operating System–specific patch that you find there that specifically addresses the service vulnerability. There is a separate patch for nearly every Windows OS. Installation will take less than 30 seconds on average. A reboot is required. For IT professionals, in-depth technical details about the vulnerability and the patch can be found here: http://support.microsoft.com/kb/958644.

Next, we suggest you install and run the Microsoft Malicious Software Removal Tool, which can be found here: http://www.microsoft.com/downloads. This is an after-the-fact removal solution — it is not a replacement for true antivirus software!

Finally, you may want to consider changing all network passwords. The stronger the password, the better. If you are in a domain, look for domain account lockout policies to be triggered. Conficker’s brute-force attack will no doubt be locking out accounts left and right.

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now