What is Win32 Conficker?

click to enlarge

Win32/Conficker is a virus/worm that spreads itself across computers by exploiting one of the vulnerabilities (MS08-067) present in Microsoft Windows operating system. This vulnerability allows remote execution of code by a hacker or an intruder. The worst part is that it does not require any user interaction and as such a hacker or an intruder can gain full control of a system. This vulnerability has been marked as "critical" and the affected operating systems are Windows 2000, Windows 2003, Windows XP, Windows 2008 and Windows Vista. However, a patch has been introduced in October, 2008 after which the issue has been resolved.

Home Users – LOW

Corporate Users – LOW

Filename: unknown.dll

Detection: Win32/Conficker

File size: 58 KB

Symptoms of a Win32 Conficker attack is given below:

• Security websites are blocked.
• Administrator access is denied.
• Users are locked out of their directory.
• Automatic creation of scheduled tasks.

To Learn more about the best way to check conficker infections, read Conficker Eye Chart: The Easiest Way To Check for Conficker Infections.

• Trend Micro WORM_DOWNAD.A
• Microsoft Worm:Win32/Conficker.A/B
• F-Secure/ Kaspersky Trojan.Win32.Pakes.lxf
• Sophos Mal/Conficker-A
• Symantec W32.Downadup

As discussed earlier, Win32/Conficker exploits the MS08-067 vulnerability present in the operating system to remotely execute code. It copies itself in the system directory with an "unknown" name and having an extension “.dll”. It also disables important services like Windows Error Reporting Service (WerSvc), Error Reporting Service (ERSvc), Background Intelligent Transfer Service (BITS), Windows Update Automatic Updates Service (wuausrv), Windows Defender (WinDefend) and Windows Search Content Search Service (wscsvc).

This virus has been designed to be smart enough to stop a user from rebooting the system in Safe Mode. It does this by deleting a registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It then terminates several processes based on a list of strings and completely disables the working of your system. It also blocks security related domains blocking the users from taking any preventive action to stop the virus from execution. This threat generates about 50000 domain names by using 116 prefixes and then attempts to connect to these websites to generate the public IP of the computer system. Several connections are established to such domain names in order to download other malware files, worms, Trojans or viruses.

Some of the variant so Win32/Conficker virus/worm makes use of Autorun.inf files and automatic task scheduling to replicate the virus.

To protect your windows network from conficker, read Protecting A Windows Network From Conficker.

The Win32/Conficker virus/worm infiltrates the MS08-067 vulnerability present in most of the Microsoft windows operating system. In order to cure the virus, system must be patched and rebooted to protect from further infection. Also, run an on demand scanner and reboot the system to clean the memory. Delete any Autorun.inf files present in the system as the virus/worm makes use of Autorun file to reactivate the worm and download another malicious content from the web.

To know more about the procedure to remove this virus/worm read How To Remove The Conficker Worm From Infected Windows Computers