Security Warning: New Variant
Conflicker Worm to Activate on April 1
The Conflicker worm is the most prolific
("malware") to appear since the SQL Slammer worm epidemic of
2003. Researchers claim that today 1 in every 16 PCs across
the world is affected by the Conflicker Worm 
and the worm had now
infected an estimated 12 million or more PCs worldwide.
A new variant (C) of the Conflicker worm was
discovered on March 6, 2009.
(The worm has an automatic update mechanism built in.)
It disables Windows Automatic Updates, shuts down
virus protection, and blocks access to security web sites.
have found that the worm is set to take some action on April 1st, but
it is still not know what is the purpose of the worm. So far,
worm is spreading and building a botnet of infected computers turning
them into "zombies" that can be commanded to take some action by the
bothearder (botnet’s masters). Other than keeping the worm
and spreading, the worm is not taking any damaging action.
concern is that, in trying to check in with the bothearder on April
1st, networks (especially DNS servers) could be overwhelmed and cause
massive congestion of the Internet.
Experts fear that Conflicker is unstoppable.
not only has a larger botnet of infected computers waiting for future
instructions, it’s now more powerful than the previous
The worm can now bypass virus protection programs and even
Microsoft’s security update features .
announced it would reward $250,000 to anyone providing information
leading to the capture of the Conficker author .
What Should You Do Now
Make sure that your computer is protected.
Do I Protect My Computer" below.
sure that your computer is not infected (not part of the botnet).
Can I Tell If My Computer Is Infected" below.
If your computer is infected, clean it.
See "How Do
I Clean a Computer That is
Infected with Conflicker" below.
What is the Worm Knows As
Various security firms give different
names to the same virus, worm, or malware.
The Conflicker (Microsoft, McAfee, Sophos) worm
is also known as Downadup (Symantec, Trend Micro,
and Kido (Kaspersky).
How Does It Spread
The worm attempts to propagate by multiple
methods. The original worm spread only by exploiting a
vulnerability in Windows file sharing. Variant B added the
to spread via network shares using password guessing and spread via
It exploits a
vulnerability addressed in Microsoft Security Bulletin
See our previous security warning.
vulnerability in Windows file sharing can be
exploited remotely to an unpatched PC.
It can copy itself
to the ADMIN$ network share by brute-force
guessing passwords .
If the password is weak, it
The worm also tries to spread via removable media
(such as USB flash drives and cameras). It
copies a file, named "autorun.inf", to the root of any USB storage
devices that are connected to the compromised computer. The
autorun file will run the worm and infect the PC when the drive or
device is connected to a new PC. On Windows 7, there is a
engineering trick that makes the selection of the AutoPlay action look
like it is viewing a folder when it is actually running the
Even if the computer is patched, you can still get
infected if you access one of the infected USB drives or file shares.
Do I Protect My Computer
You need to take more than one defensive measure.
First, if you have not already, install the patch
in Microsoft Security Bulletin MS08-067 .
system up-to-date with patches.
Turn off file sharing or admin shares if not
Make sure that you use complex passwords,
especially for Administrator user accounts. Enable security
logging (especially for failed logon attempts).
Consider disabling autorun/autoplay on removable
media (especially USB flash drives and cameras) ,
a domain environment this can be done by a group policy.
Don’t use security scans that pop up on
some web sites. All too often these are fake, using
scare tactics to try to get you to purchase their “full” service.
In many cases these are actually infecting you while they run.
Install effective virus protection
software, keep the subscription current, keep the virus
up to date, and make sure that the real-time protection is not disabled
Do not log on with an account with
administrative rights for normal use of the computer.
What Does the Conflicker Worm Do to
If the user of the computer that is being attacked is
not a member of the local Administrators group, the worm will
have a tough time infecting the computer.
The current variant:
On April 1st, the worm is set to check in with the creator for
updated instructions. What the worm will do after that is not
- Disables system restore and deletes restore
- Blocks access to security web sites
- Attempts to download other malware
- Creates a backdoor to download updates
to the worm
- Attempts to spread via network shares and
- Disables Automatic Updates
- Disables Windows Security Alerts
- Kills virus protection or security
- Disables the viewing of hidden files
- Modifies the system's TCP settings to allow a
large number of simultaneous connections
What Is Going to Happen on April 1st
The worm currently checks with a shot list of
popular web sites to get the current date.
a mathematical algorithm to generate domain names where it will check
for updates and instructions. It currently checks 250 domain
names per day. Microsoft, Symantec, ICAN, and a
security organizations called "Cabal" have been working to block the
domain name registration of names where the worm will check
On April 1, the worm will increase the number of
domain names where it checks for updates to 50,000. The
authors need to register only one of the domain
names to take control of the millions of zombie computers.
zombie computers checking the domain name of 50,000 names could create
its own problems with congestion on the Internet, especially congestion
with the DNS server used to translate those domain names into an IP
There is lots of speculation about what the bots
commanded to do on or after April 1st, everything from an April Fools
joke to some thing much darker. It is all just speculation at
this point, but researchers have determined that variant C of the
worm can act both as a client and a server, sharing files in
both directions. The peer-to-peer design is also highly
distributed, making it more difficult for security teams to defeat the
system by disabling just the command-and-control center.
Can I Tell If My Computer Is
Symptoms of infection include:
- Network congestion (because network attack
starts from these PCs and checking for updates from botmaster)
- Account lockouts (as brute force password
guessing trips lockouts)
- Automatic Updates, Background Intelligent
Transfer Service (BITS), Windows Defender, and Error Reporting Services
- Various security-related Web sites
cannot be accessed
It is possible to detect and remove Conficker
using commercial anti-virus tools offered by many companies.
However, the most recent variant has a dramatically improved
capacity to disable commercial anti-virus software
and block them from getting updates. You might need to get a
specifically for the Conflicker worm and might need to download it from
a computer that is not infected.
One such tool is the F-Secure F-Downadup
It is a command line tool with two options to run, (1) detect
(the default), (2) detect and
disinfect. If it detects an infection, see "How Do I Clean a
Computer That is Infected with Conflicker" below.
Do I Clean a Computer That is
Infected with Conflicker
Unfortunately, the worm is difficult to
remove because it
disabled virus protection and blocks access to security web sites.
If USB drives have been infected, they might reinfect
that have been cleaned. If poor administrator passwords are
systems might get reinfected over a local network.
The Romanian BitDefender claims to have a
uses a web domain that is not blocked by the worm,
but you might need to access the tool by IP address if the worm
eventually blocks access.
Other tools might have to be downloaded on a
computer that is not infected and then transported to the infected
computer. Be careful when trying to repair a computer that is
infected with Conflicker as it infects USB flash drives; then just
mounting the USB drive in another system could infect that system (if
autorun has not been disabled for USB drives).
Kaspersky has a removal tool named
You'll probably have to download it from a computer that is
The Microsoft Malicious Software Removal Tool
March 2009 version can fix variant B.
The F-Secure F-Downadup tool 
Read the instructions included in the downloaded zip file
carefully before starting. Run the tool with the command line:
Of course, the patch for the underlying
vulnerability needs to be installed to prevent reinfection.
Symantec Blog: W32.Downadup.C Digs in Deeper
 ComputerWorld: Downadup worm
now infects 1 in every 16 PCs
SRI International Conflicker C Analysis
Microsoft $250,000 Reward for Conflicker Worm Authors
 Microsoft Security
 Sophos Blog: Passwords used by
 ISC Handler Diary: Conficker's autorun
 Symantec Blog: AutoPlay Worms
 Hackology Blog: Autorun.INF/AutoPlay
& Downadup USB Worm
 NY Times: Computer Experts Unite to Hunt
Worm (registration required)
 F-Secure: D-Downadup Tool
Downadup (aka Conficker
 Kaspersky: kidokiller
Microsoft Malicious Software Removal
Based on the criticality, IT Professional Services
performed an emergency deployment of the update to protect
from the Conflicker worm to all systems under
If you need assistance installing protection from
this worm, a security assessment, or disinfecting
computers, IT Professional Services can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.