The Conficker worm, also known as the Downadup or Kido worm, was first discovered in November 2008 and has infected many Windows operating systems that do not have the latest security updates. On October 23, 2008 Microsoft released a security update, MS08-067 which fixes the security vulnerability that the Conficker worm took advantage of. Most of the affected computers did not have MS08-067 installed, used a weak password or did not have a password to login to Windows, or had open share folders or removable media.
There are 5 variants of the Conficker worm which have improved each time the creator of the worm released a new version. The worm automatically updates itself without user interaction and disables several important services in Windows, including Windows Defender and Windows Update. If a PC is infected already by the Conficker worm, it connects to the following websites to obtain the current time and date: facebook.com, yahoo.com, ask.com, google.com, baidu.com, rapidshare.com, imageshack.us and w3.org. The worm can also prevent users from visiting security vendor websites. There are other symptoms if a computer is infected with Conficker, read most of them in Conficker Virus Guide.
Computers with pirated or hacked version of Windows are also affected because most of the users with such software do not care about the risks in using pirated software. Genuine users of Windows who fail to immediately install security updates for Windows may become infected by the Conficker worm or any viruses or malware that exploits vulnerabilities in Windows operating systems.
Several security software vendors immediately took action to help affected customers by releasing a standalone Conficker removal tool, and an example of this is the tool from Symantec. The W32.Downadup or Conficker removal tool by Symantec will detect any variant of the worm.
Using Norton Removal Tool to Remove Conficker worm
If you suspect Conficker infection or would just like to check your computer for Conficker worm infection, the Norton removal tool for Conficker or W32.Downadup infection is available for free download at https://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99. The file that you are going to download has D.exe as its filename.
You can save D.exe on your desktop, disconnect the computer from the Internet and then execute the tool. The tool will prompt you to accept the End-User License Agreement (EULA), and then you can proceed to scanning the PC.
If the Symantec W32.Downadup removal tool has found infection, it will automatically remove it and a log is created. The FixDwndp.log is saved by the Symantec W32.Downadup removal tool in the same location you saved the D.exe.
The Symantec Conficker removal tool will also prompt you to restart the computer and advises you to install the MS08-067 security update.
Other Option in Removing Conficker worm
If, for some reason, you could not download or run Symantec’s Conficker worm removal tool or other free Conficker removal tools, you will need to do it manually. Manually removing the Conficker worm without a removal tool is a tough task because the worm adds a service and several registry entries that use random names.
If your PC infected with the Conficker worm, but the Conficker Norton removal tool or other tools for removing Conficker won’t run, it is recommended to seek assistance by providing the system log to a free malware removal forum, such as Aumha or Bleepingcomputer.com.
Image credit: Screenshot taken by the author.