How it Works
As discussed earlier, Win32/Conficker exploits the MS08-067 vulnerability present in the operating system to remotely execute code. It copies itself in the system directory with an "unknown" name and having an extension “.dll". It also disables important services like Windows Error Reporting Service (WerSvc), Error Reporting Service (ERSvc), Background Intelligent Transfer Service (BITS), Windows Update Automatic Updates Service (wuausrv), Windows Defender (WinDefend) and Windows Search Content Search Service (wscsvc).
This virus has been designed to be smart enough to stop a user from rebooting the system in Safe Mode. It does this by deleting a registry key:
It then terminates several processes based on a list of strings and completely disables the working of your system. It also blocks security related domains blocking the users from taking any preventive action to stop the virus from execution. This threat generates about 50000 domain names by using 116 prefixes and then attempts to connect to these websites to generate the public IP of the computer system. Several connections are established to such domain names in order to download other malware files, worms, Trojans or viruses.
Some of the variant so Win32/Conficker virus/worm makes use of Autorun.inf files and automatic task scheduling to replicate the virus.
To protect your windows network from conficker, read Protecting A Windows Network From Conficker.