Conficker (Downadup) – How to prevent and remove it


Description:
 
Conficker, also known as Downadup, is a computer worm that targets the Microsoft Windows operating system. Since its discovery in November 2008, it has infected millions of computers, forming a botnet. The worm uses the Windows vulnerability “MS08-067”, but it has been patched more than 10 years ago. Unfortunately, there still are plenty of computers that do not have the patch installed.

conficker virus

 

Summary:

The worm can deactivate certain services in order to prevent detection/removal. Services like Windows Defender and Windows Update will be deactivated. It may also plant additional files onto your system, as well as prevent you from visiting certain websites. Conficker worms infect PCs across a network by exploiting a vulnerability in a Windows system file. This vulnerability is described and fixed in Security Bulletin MS08-067.

Tools to remove Conficker

 

Recommendations for users:

  •  install updates as soon as they are released;
  •  use complex passwords;
  •  install anti-virus software.

 

Conficker History

 

Variant

Spreads by…

Payload

Worm:Win32/Conficker.A
Discovered date:
21 November 2008
Payload trigger date:
25 November 2008

Exploits the vulnerability outlined in Security Bulletin MS08-067

  • Generates 250 URLs daily that it checks for updates

  • Resets System Restore Point

Worm:Win32/Conficker.B
Discovered date:
29 December 2008
Payload trigger date:
1 January 2009
Same as .A variant, plus:

  • Network shares with weak passwords
  • Mapped and removable drives
  • Uses a scheduled task to run copies of the worm on targeted PCs
Same as .A variant (although with a different way of generating URLs), plus:

  • Blocks access to many security-related websites
  • Changes your PC’s settings
  • Stops system and security services
Worm:Win32/Conficker.C
Discovered date:
20 February 2009
Payload trigger date:
1 January 2009

Same as .B variant.

Same as .A and .B variants, plus:

  • Additional method for downloading files that uses peer-to-peer communications
  • Adds checks to verify the authenticity/validity of content targeted for download
Worm:Win32/Conficker.D
Discovered date:
4 Mar 2009
Payload trigger date:
1 April 2009
Spreading functionality removed.

Distributed as an update to PCs already infected with the .B and .C variants

Same as .A and .B variants, plus:

  • Generates 50,000 URLs to download files from, but only visits 500 within a 24-hour period
  • Expands on efforts to hinder its removal from your PC:
  • Stops more system and security services
  • Blocks more security-related websites
Worm:Win32/Conficker.E
Discovered date:
8 April 2009
Payload trigger date:
No date
Spreading functionality added.

Same as .A variant, plus:

  • Network shares with weak passwords
  • Blocks access to many security-related websites
  • Changes your PC’s settings