How to Remove a Conficker.B, C, or Downadup Worm Infection

Update: Jonathan Leopando of Trend Micro writes, "In a very real way, threats like [Conficker] become part of the background noise that is a part of life on the Internet." Current estimates are that between 1.25 and 5 million systems remain infected. Conficker has also "built a botnet" in order to function for its creator. Roles for the 'bot include spam, denial of service attacks, and antivirus spoof malware (or fake antivirus).

Concerned that your PC may be infected by the Conficker or Downadup worm? Here's a simple test. If, using Internet Explorer, you can visit Yahoo! and Microsoft, your computer does not have the virus. Since "microsoft" is in the list of website "strings" blocked by Conficker, if you can visit Yahoo! and not Microsoft, it's likely your PC does have the virus.

And as a note, if your computer is infected and you think you can live with the inconvenience of not being able to reach certain websites, remember that Windows Update, Windows Defender, and the Malicious Software Removal Tool are also disabled, effectively leaving the barn door open for more, and perhaps more efficient or more malicious software.

If you've come here because you are concerned that you may have an active Conficker infection, please read the first part below about how the worm spreads and then go to the second page for some advice and links to remedies.

Update: May 2, 2009. Atif Mushtaq of the FireEye Malware Intelligence Lab says that Conficker is not behaving in the furtive manner in which a notorious botnet might be expected to act. "The creator of the worm has only been in direct competition with security researchers. Due to the method of propagation, and the lack of a working dynamic update mechanism, the AV industry hasn't had a problem keeping up with the different binaries."

Update: April 1, 2009. The midnight hour of March 31 has passed, and it's now April 1, April Fool's Day. So far things are quiet. According to F-Secure, infected computers have activated and begun to "phone home" to Conficker's remote master(s), but so far no further malware activity has been detected. Could this be like the big 2YK scare that fizzled into unimportance even before millennial hangovers eased? There's no evidence so far that the worm has mutated. All indications are that the preventive and corrective measures already known will continue to function.

Update. March 31, 2009. Within 24 hours, we should learn what the purpose of the Conficker.C or Downadup worm is. Security experts tell us that it should contact its 'bot masters at up to 500 of 50,000 estimated possible websites and take on its payload, whatever that is.

It’s Friday evening. Ted is clearing his desk, folding work that’ll keep until Monday, into a side drawer. Some other stuff that he’ll look at over the weekend has already gone into his briefcase. He bends down and presses the power button on his backup power supply and listens as the fans and hard drives of his PC spin down. Suddenly, it seems very quiet in his office.

He puts on his overcoat, grabs his hat, and picks up his briefcase. Then he pauses, wondering what he’s forgotten. He stands hesitantly before his now well-ordered desk and sighs as his phone rings. He sets down his briefcase, presses the lit button on the phone, and says, “Hello.”

“Hi, Ted. I’m glad I caught you still in.” It was Marsha in Accounting.

“HI, Marsha,” says Ted. “I was just leaving.”

“I have those figures you asked for on the Sherman liquidation. Want me to email it to you or send it to the printer?”

“Great.” Ted considers. “Let me come over, and you can give it to me.”

“Okay.”

Ted leaned over again and pulled his thumb drive out of his quiescent PC. He slid it into a coat pocket, picked up his briefcase, and made his way to the Accounting Office on the second floor.

He saw with some approval that Marsha’s office space was clean and organized. A veteran PC that had seen better days thumped and hummed on her desktop. A closed Apple Macbook was at her elbow. Ted held out his thumb drive.

“Thanks,” said Marsha. She inserted Ted’s thumb drive and started to save the spreadsheet from Microsoft Excel to the drive.

Unbeknownst to both Ted and Marsha, the spreadsheet file was not the only payload being transferred to the thumb drive. A stealthy trojan known as Conficker.B or Win32\Downadup also transferred itself when the thumb drive was inserted. It also created a new autorun.inf self-starting file to install itself on the next vulnerable PC that it found.

The next PC it found was Ted’s laptop. The trojan tried to install itself, but the laptop had obtained a Windows update back in October, 2008, was running anti-virus, and the trojan could find no purchase. Although Ted viewed the spreadsheet and saved a copy to his laptop, he did not find out that his thumb drive was infected during that weekend.

In fact, the next vulnerable PC the trojan found was Ted’s PC at work on the following Monday. The trojan moved to Ted’s PC when he inserted the thumb drive in order to work with the spreadsheet some more.

Bob, the Information Technology director at Ted’s company, was responsible for maintaining over five-hundred PCs and laptops on the company network. He wanted things to go smoothly, for all those PCs and the machines in the company’s server closet to just work and not take up an unwarranted amount of his time or thought.

Bob had not made it in to the office by the time Ted managed to infect his office PC with the Autorun application that the trojan installed. Part of the control that Bob maintained over the system involved never shutting the systems down. He viewed Windows Updates with a strict, unwavering suspicion. Ted’s company had never deployed the October update that would prevent the trojan from taking advantage of the vulnerability in Windows.

So while Bob was still driving his Volvo toward the company campus, Ted started to work, the servers in the air-conditioned closet hummed and blinked, and Marsha placed her Macbook on her desk and started up her company PC.

After Ted inserted his thumb drive, Windows popped up a dialog, and Ted selected “Open folder to view files.” Everything looked perfectly normal, but the trojan had actually created the entire dialog. When Ted selected view contents, he gave the trojan permission to install on his PC.

The little trojan robot then went to work trying to guess Ted’s network password. It also attempted to protect itself. It checked to see if it could turn off Automatic Updates, which of course, were not enabled on Ted’s company-network-connected PC. It also tried to turn off Windows Defender (not used, either) and Error Reporting Services. While it was at it, it configured Internet Explorer so it could not visit computer security sites like kaspersky.com and symantec.com.

All of this happened in the background. Ted remained blissfully unaware that he had a problem at all until the following Monday, when he powered up his PC and found that he could not log in. He even double-checked his password, which was taped to the bottom of his telephone, but the trojan had finally figured out Ted’s password (“maria83moncheri") and was busy rampaging across the company’s network. Bob in IT would soon be busy.

Though fictionalized, the preceding story does illustrate what we know now about the way that the Conficker, aka Downadup, worm propagates. One method is through exploiting a vulnerability in the file-sharing services (SVCHOST.EXE) in Windows 2000, Windows XP and Vista. This is what the October, 2008 Microsoft patch MS08-067 was aimed at. (The Windows 7 beta version is already patched.)

Another method is through brute-force guessing of passwords to enter network shares. A third method is through Autorun/Autoplay transmission from USB-based hard drives and thumb drives. MP3 players and USB-connectible digital cameras may also be a vector.

Even worse, on the millions of PCs that Conficker has already infected, it has not yet been activated to carry out its real purpose. In other words, it’s like a loaded gun that nobody has pulled the trigger on yet. What that real purpose will be – relaying spam or downloading more malware – only the malware designer currently knows.

Next: How to Determine if Your PC is Infected, How to Remove Conficker.B, and How to Prevent an Infection