Pin Me

What is Win32 Conficker?

written by: Anurag Ghosh•edited by: Bill Bunter•updated: 1/18/2011

Win32/Conficker the most spreadable virus/worm of the year 2009 exploits the Microsoft's (MS08-067) vulnerability to remotely gain access to a computer system.

  • slide 1 of 7

    Description

    win32 / conficker 

    Win32/Conficker is a virus/worm that spreads itself across computers by exploiting one of the vulnerabilities (MS08-067) present in Microsoft Windows operating system. This vulnerability allows remote execution of code by a hacker or an intruder. The worst part is that it does not require any user interaction and as such a hacker or an intruder can gain full control of a system. This vulnerability has been marked as "critical" and the affected operating systems are Windows 2000, Windows 2003, Windows XP, Windows 2008 and Windows Vista. However, a patch has been introduced in October, 2008 after which the issue has been resolved.

  • slide 2 of 7

    Risk Assessment

    Home Users – LOW

    Corporate Users – LOW

  • slide 3 of 7

    Virus Characteristics

    Filename: unknown.dll

    Detection: Win32/Conficker

    File size: 58 KB

  • slide 4 of 7

    Symptoms

    Symptoms of a Win32 Conficker attack is given below:

    • Security websites are blocked.
    • Administrator access is denied.
    • Users are locked out of their directory.
    • Automatic creation of scheduled tasks.

    To Learn more about the best way to check conficker infections, read Conficker Eye Chart: The Easiest Way To Check for Conficker Infections.

  • slide 5 of 7

    Common Detection A.K.A.

    • Trend Micro WORM_DOWNAD.A
    • Microsoft Worm:Win32/Conficker.A/B
    • F-Secure/ Kaspersky Trojan.Win32.Pakes.lxf
    • Sophos Mal/Conficker-A
    • Symantec W32.Downadup
  • slide 6 of 7

    How it Works

    As discussed earlier, Win32/Conficker exploits the MS08-067 vulnerability present in the operating system to remotely execute code. It copies itself in the system directory with an "unknown" name and having an extension “.dll". It also disables important services like Windows Error Reporting Service (WerSvc), Error Reporting Service (ERSvc), Background Intelligent Transfer Service (BITS), Windows Update Automatic Updates Service (wuausrv), Windows Defender (WinDefend) and Windows Search Content Search Service (wscsvc).

    This virus has been designed to be smart enough to stop a user from rebooting the system in Safe Mode. It does this by deleting a registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

    It then terminates several processes based on a list of strings and completely disables the working of your system. It also blocks security related domains blocking the users from taking any preventive action to stop the virus from execution. This threat generates about 50000 domain names by using 116 prefixes and then attempts to connect to these websites to generate the public IP of the computer system. Several connections are established to such domain names in order to download other malware files, worms, Trojans or viruses.

    Some of the variant so Win32/Conficker virus/worm makes use of Autorun.inf files and automatic task scheduling to replicate the virus.

    To protect your windows network from conficker, read Protecting A Windows Network From Conficker.

  • slide 7 of 7

    Removal Instructions

    The Win32/Conficker virus/worm infiltrates the MS08-067 vulnerability present in most of the Microsoft windows operating system. In order to cure the virus, system must be patched and rebooted to protect from further infection. Also, run an on demand scanner and reboot the system to clean the memory. Delete any Autorun.inf files present in the system as the virus/worm makes use of Autorun file to reactivate the worm and download another malicious content from the web.

    To know more about the procedure to remove this virus/worm read How To Remove The Conficker Worm From Infected Windows Computers