Pin Me

What is the INF Conficker Virus?

written by: •edited by: Bill Bunter•updated: 6/7/2010

INF Conficker brother of Win32 Conficker uses the same strategy to infect the system i.e. Autorun feature. Microsoft's Autorun vulnerability has given rise to many new viruses and Trojans and still Microsoft claim it to be a Feature of Windows. Read more...

  • slide 1 of 6

    Description

    INF Conficker 

    INF/Conficker is similar to W32/Conficker virus and can be referred to as its variant. It exploits the Microsoft’s longest un-patched Autorun vulnerability which Microsoft claims to be a windows feature and downloads malicious content on the infected computer system. Although, INF/Conficker comes under the category of virus, but it has been sub-categorized as a worm since, it exploits the windows vulnerability to infect computer systems.

  • slide 2 of 6

    Risk Assessment

    Home Users – LOW

    Corporate Users – LOW

  • slide 3 of 6

    Virus Characteristics

    Filename: Autorun.inf

    Type: Worm

    Detection: Conficker.worm!inf

    Length: variable length

  • slide 4 of 6

    Symptoms

    Autorun.inf file present in every removable media attached to the computer or in a network drive.

  • slide 5 of 6

    How it Works

    INF/Conficker exploits the Microsoft’ Autorun feature to spread itself on local as well as remote computers, i.e. computers connected in a network. It drops an Autorun.inf file to the root of every removable media connected to the computer and to the mapped network drives. It then executes the code written inside the Autorun.inf file to download other malicious files on the computer to infect it with worms and viruses. The malicious content is downloaded with the help of remote servers that have already been setup for such activities.

    The size of the Autorun.inf file is of variable length and sometimes, the file attributes have been set to as S (system) and H (hidden). Since, the windows default settings have been set to “Do not show system and hidden files”; this worm remains unnoticeable by the user and can only be detected with the help of an antivirus.

    The content of the Autorun.inf file is something similar to this.

    shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-879315005-xxx\jwgkvsq.vmx,ahaezedrn

    Upon execution of the Autorun.inf file, the computer is infected with the malicious content downloaded from remote servers. As the INF/Conficker worm is injected locally, it doesn’t exploit the MS08-067 vulnerability. So, if you have patched the system to overcome the MS08-067 vulnerability, you will not be able to stop this worm from execution.

  • slide 6 of 6

    Removal Instructions

    If you suspect your computer system to be infected by INF/Conficker worm, and you have found traces of Autorun.inf file, then as a first step search the entire drive for Autorun.inf file using the windows search feature and delete all the Autorun.inf files. Next, you must perform a complete scan of your system using good antivirus software. I recommend using McAfee & ESET NOD32. These are my preferred and trusted software’s, you can scan using yours.