Portland Community College | Portland, Oregon

The Conficker worm, sometimes called Downadup or Kido has infected an estimated millions of computers since January. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware components. The worm utilizes a variety of attack vectors to transmit and receive payloads, including: software vulnerabilities  portable media devices (e.g. USB thumb drives and CD/DVD's), as well as leveraging endpoint weaknesses (e.g. weak passwords on network-enabled systems). The Conficker worm will also spawn remote access backdoors on the system and attempt to download additional malware to further infect the host.

What does the Conficker worm do?

The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. The anti virus companies do not have a full understanding of the worm. At this time, the extent of its capability is unknown.diagram showing the spread of the virus

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security websites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

All MS Windows systems are susceptible to attack. The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks. The option Open folder to view files — Publisher not specified was added by the worm.

In the screenshot of the Autoplay dialog box (shown to the right,) the option Open folder to view files—Publisher not specified was added by the worm. The highlighted option — Open folder to view files using Windows Explorer is the option that Windows provides and the option you should use.

If you select the first option, the worm executes and can begin to spread itself to other computers.

How do you know if you are infected

If your computer is infected with the Conficker worm, you may either experience no obvious symptoms, or you may experience any of the following :

  • Account lockout policies are being tripped
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled
  • Network congestion
  • Various security-related websites cannot be accessed

Preventing the Conficker Worm:

What should rational computer user or IT administrator do? Protecting against Conficker is no easy fix. Since it uses a variety of attacks you too need to take several measures to protect your system.

  1. Keep your computer updated with the latest patches. This alone will prevent more than 80% of computer attacks. If you don’t know how to do this, have someone help you set your system to update itself. There is no reason in this day and age to not run security updates.

  2. Run a full spectrum of anti malware tools such as:

    • Anti-Virus

    • Anti-Spyware

    • Anti-Rootkit Applications

    • Anti-Phishing applications

  3. Make sure the AV signatures are updated at least every day (every few hours is even better)

  4. Run a full scan of all files on all systems every week

  5. Use a good password on your accounts. Conficker has a function that cracks weak passwords. This includes:

    • Change your passwords periodically

    • Use complex passwords — no simple names or words, use special characters and numbers

    • Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.

  6. Avoid untrusted "free" security scans that pop up on many websites. All too often these are fake, using scare tactics to try to get you to purchase their "full" service. In many cases these are actually infecting you while they run. There are free tools for you to use on the Information Security, Tools Page

  7. Turn off the "autorun" feature that will automatically run programs found on memory sticks and other USB devices. They will still work but will only show their files when you want them.

  8. Use a passwords management system such as:

  9. Ensure you back up your important files, the only way for you to fix an infected computer is to erase the hard drive and re-image. Losing your valuable files through accidental deletion, hard drive crashes or malware attacks can be devastating. Whether it's the priceless photographs; the college thesis you're working on, or your personal records, backing up your files is critical.

If your (PCC) computer won't update your anti-virus or get to an anti virus site, call the help desk 4400. Due to the number of tools available most security tools not provided directly by PCC are not supported.

How do I remove the Conficker worm?

The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.

Microsoft releases an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents. The tool is available from Microsoft Update, Windows Update and the Microsoft Download Center.

Because computers can appear to function normally when infected, Microsoft advises you to run this tool even if your computer seems to be fine.

Microsoft Windows Malicious Software Removal Tool

After running the Microsoft Windows Malicious Software Removal Tool, run a full scan of all files.

More technical information about the Conficker worm

For more technical information about the Conficker worm: