About the Conficker Virus: History, Symptoms and Prevention

About the Conficker Virus: History, Symptoms and Prevention
Page content

History of The Virus

The Conficker virus is actually a worm that exploits a security vulnerability in the Windows Server service (SVCHOST.EXE) to propagate across computers.

It has five major variants denoted by letters A, B, C, D, and E. This would be read Conficker A, Conficker B and so on. Depending upon the variant, Conficker can also propagate through removable media and by exploiting weak administrator passwords on networks. The virus is designed to attack Windows based computers so those with other operating systems need not worry much about it.

After gaining access to the computer, the virus can allow remote code execution and can send data from the computer to random IP addresses.

Out of all variants of the virus, the third variant - Conficker C - created much fear among computer experts in the year 2009. The first instance of Conficker was discovered in November 2008. Soon after, in October 2008, Microsoft released a patch to stop the exploitation of SVCHOST.EXE.

Reactions to the Virus

As experts thought they have countered the virus, they found several computers across the world infected by Conficker C by January 2009. Though news about the virus creating damage on the first day of April 2009 was already circulating, the computer experts did not take it seriously and laughed it off as an April Fool prank. This is why Conficker C is also called the Fool’s Day virus. With Panda Group reporting that it had found around 115,000 computers infected by the virus worldwide, the computer community took the threat seriously and started working towards protection and elimination of the virus from computers.

While releasing a patch (see prevention below), Microsoft also included anti-Conficker C programs in its Malicious Software Removal Tool (MSRT). The tool can be obtained from Windows Update site. The MSRT is updated every second Tuesday of the new month. However, by the time the antivirus companies took it seriously, Conficker C was already present on one out of five computers in the world. As of now, MSRT and most other antivirus (both free and subscription based) are designed to wipe out the virus completely.

How to Tell if You’re Infected

If your computer is infected by Conficker virus, you may experience one or more of the following issues:

  1. Inability to access Windows Update Service.
  2. Windows Defender, Background Intelligent Transfer Service (BITS), and Windows Error Reporting Services are disabled.
  3. Account lockout policies are tripped on networks.
  4. Domain controllers do not respond or respond very slowly to client requests.
  5. You cannot access websites containing certain terms in their names, such as:
    1. Antivirus.
    2. Virus.
    3. Spyware.
    4. Rootkit.
    5. Names of antivirus programs – Panda; Microsoft; Symantec; Norton; and more.

Prevention

If the computer is infected it can be very difficult to remove the virus. It is better to prevent the virus from entering your system. For prevention, use the following steps:

  • Use a firewall.
  • Get the latest Windows updates.
  • Update your antivirus software.
  • Scan the attachments while opening them.
  • Disable Autoplay for all external media.
  • Avoid downloads from unknown sites to the extent possible.
  • Use strong passwords for your network.

Computers running Windows XP, Windows Vista, and Windows Server can use this patch to avoid Conficker infection if they are not already infected.

Virus Removal

If you experience any of the symptoms mentioned on the previous page, such as not being able to connect to the Windows Update site or not being able to access any websites containing certain virus-related terms, you might be infected with the Conficker virus. Immediately scan your computer by running your antivirus to see if it can detect and remove the virus. Sometimes this is all you need to do.

If the resident antivirus does not detect the virus or cannot remove it, chances are that it does not contain the definition for Conficker virus. If you are on a network, check for uninfected computers that can access Windows Update site. If you can access Windows Update site from any other computer, download the latest MSRT (Microsoft Malicious Software Removal Tool) and scan the network. You can run the tool by typing MRT (skip the letter “S”) in the Run Dialog. Use the Custom Scan option to specify the infected computer(s).

You can also download the latest version of any of the following software to remove the Conficker virus: AVG, McAfee, Norton, Panda, BitDefender, F-Secure, Symantec, Sophos, Kaspersky, Trend Micro, or Sunbelt Software.

If you are not able to access the websites of any of these antivirus programs from the infected computer, use another computer to download the program and install it on the infected computer. Once installed, you can use the antivirus to remove Conficker.

If you are not able to install the antivirus on the infected system, you may install it on a connected computer and run a remote scan. If you have an extra uninfected computer, you can connect it to the infected computer using Ethernet to create a peer to peer network so that you can run a remote scan. You may also rent or borrow a laptop and connect it to the PC after installing the software on it.

If any of the above does not help, you might need a technician who can remove Conficker virus manually or with special tools.

References

Image from Wikimedia Commons, https://commons.wikimedia.org/wiki/File:Conficker.svg

Microsoft Security Knowledgebase at Technet, https://technet.microsoft.com/en-us/security/dd452420.aspx

Microsoft Security Bulletin MS08-067, https://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx