Conficker Worm

November 21, 2008
aka: W32.Downadup Worm, Kido

There has been some discussion in the media lately about the Conficker Worm and it has been found on several systems at Virginia Tech. The Downadup worm tries to take advantage of a vulnerability in Windows called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this vulerability. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

NOTE: This worm is designed to activate on April 1, 2009. At that time, it will change the way it communicates by attempting to contact a source to download new commands. The effects of this worm after April 1, 2009 are currently unknown.

Symptoms:

  1. Windows Update no longer works.
  2. Symantec LiveUpdates no longer work.
  3. Security vendor sites (like www.symantec.com) no longer load.
  4. The Virginia Tech antivirus website (www.antivirus.vt.edu) no longer loads.
  5. Windows Defender is disabled.

Removal:

Symantec has developed a tool to remove all variants of this worm. You can find the tool from the following link:

More information:

A detailed whitepaper about this worm can be found on Symantec's website: The Downadup Codex.

An independent group has also done an analysis of the Conficker.C variant. You can find more information here: http://mtc.sri.com/Conficker/addendumC/.