Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning: New Variant Conflicker Worm to Activate on April 1

The Conflicker worm is the most prolific malicious software ("malware") to appear since the SQL Slammer worm epidemic of 2003.  Researchers claim that today 1 in every 16 PCs across the world is affected by the Conflicker Worm [1] and the worm had now infected an estimated 12 million or more PCs worldwide.

A new variant (C) of the Conflicker worm was discovered on March 6, 2009.  (The worm has an automatic update mechanism built in.)   It disables Windows Automatic Updates, shuts down virus protection, and blocks access to security web sites.

Researchers have found that the worm is set to take some action on April 1st, but it is still not know what is the purpose of the worm.  So far, the worm is spreading and building a botnet of infected computers turning them into "zombies" that can be commanded to take some action by the bothearder (botnet’s masters).  Other than keeping the worm alive and spreading, the worm is not taking any damaging action.  One concern is that, in trying to check in with the bothearder on April 1st, networks (especially DNS servers) could be overwhelmed and cause massive congestion of the Internet.

Experts fear that Conflicker is unstoppable.  It not only has a larger botnet of infected computers waiting for future instructions, it’s now more powerful than the previous version.  The worm can now bypass virus protection programs and even Microsoft’s security update features [2].  Recently Microsoft announced it would reward $250,000 to anyone providing information leading to the capture of the Conficker author [3].

What Should You Do Now

Make sure that your computer is protected.  See "How Do I Protect My Computer" below.

Make sure that your computer is not infected (not part of the botnet).  See "How Can I Tell If My Computer Is Infected" below.

If your computer is infected, clean it.  See "How Do I Clean a Computer That is Infected with Conflicker"  below.

What is the Worm Knows As

Various security firms give different names to the same virus, worm, or malware.  The Conflicker (Microsoft, McAfee, Sophos) worm is also known as Downadup (Symantec, Trend Micro, F-Secure) and Kido (Kaspersky).

How Does It Spread

The worm attempts to propagate by multiple methods.  The original worm spread only by exploiting a vulnerability in Windows file sharing.  Variant B added the ability to spread via network shares using password guessing and spread via removable drives.

It exploits a vulnerability addressed in Microsoft Security Bulletin MS08-067 [4].  See our previous security warning.  The vulnerability in Windows file sharing can be exploited remotely to an unpatched PC.

It can copy itself to the ADMIN$ network share by brute-force guessing passwords [5].  If the password is weak, it may succeed.

The worm also tries to spread via removable media (such as USB flash drives and cameras).  It copies a file, named "autorun.inf", to the root of any USB storage devices that are connected to the compromised computer.  The autorun file will run the worm and infect the PC when the drive or device is connected to a new PC.  On Windows 7, there is a social engineering trick that makes the selection of the AutoPlay action look like it is viewing a folder when it is actually running the worm [6].

Even if the computer is patched, you can still get infected if you access one of the infected USB drives or file shares.

How Do I Protect My Computer

You need to take more than one defensive measure.

First, if you have not already, install the patch in Microsoft Security Bulletin MS08-067 [4].  Always keep your system up-to-date with patches.

Turn off file sharing or admin shares if not needed.

Make sure that you use complex passwords, especially for Administrator user accounts.  Enable security event logging (especially for failed logon attempts).

Consider disabling autorun/autoplay on removable media (especially USB flash drives and cameras) [7], [8].  In a domain environment this can be done by a group policy.

Don’t use security scans that pop up on some web sites.  All too often these are fake, using scare tactics to try to get you to purchase their “full” service.  In many cases these are actually infecting you while they run.

Install effective virus protection software, keep the subscription current, keep the virus signatures up to date, and make sure that the real-time protection is not disabled or stopped.

Do not log on with an account with administrative rights for normal use of the computer.

What Does the Conflicker Worm Do to Infected Computers

If the user of the computer that is being attacked is not a member of the local Administrators group, the worm will have a tough time infecting the computer.
The current variant:
  • Disables system restore and deletes restore points
  • Blocks access to security web sites
  • Attempts to download other malware
  • Creates a backdoor to download updates to the worm
  • Attempts to spread via network shares and removable media
  • Disables Automatic Updates
  • Disables Windows Security Alerts
  • Kills virus protection or security analysis tool running processes
  • Disables the viewing of hidden files
  • Modifies the system's TCP settings to allow a large number of simultaneous connections
On April 1st, the worm is set to check in with the creator for updated instructions.  What the worm will do after that is not know.

What Is Going to Happen on April 1st

The worm currently checks with a shot list of popular web sites to get the current date.

It uses a mathematical algorithm to generate domain names where it will check for updates and instructions.  It currently checks 250 domain names per day.  Microsoft, Symantec, ICAN, and a conglomeration of security organizations called "Cabal" have been working to block the domain name registration of names where the worm will check for updates [9].  On April 1, the worm will increase the number of domain names where it checks for updates to 50,000.  The authors need to register only one of the domain names to take control of the millions of zombie computers.

Ten million zombie computers checking the domain name of 50,000 names could create its own problems with congestion on the Internet, especially congestion with the DNS server used to translate those domain names into an IP address.

There is lots of speculation about what the bots will be commanded to do on or after April 1st, everything from an April Fools joke to some thing much darker.  It is all just speculation at this point, but researchers have determined that variant C of the worm can act both as a client and a server, sharing files in both directions.  The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling just the command-and-control center.

How Can I Tell If My Computer Is Infected

Symptoms of infection include:
  • Network congestion (because network attack starts from these PCs and checking for updates from botmaster)
  • Account lockouts (as brute force password guessing trips lockouts)
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Various security-related Web sites cannot be accessed

It is possible to detect and remove Conficker using commercial anti-virus tools offered by many companies.  However, the most recent variant has a dramatically improved capacity to disable commercial anti-virus software and block them from getting updates.  You might need to get a tool specifically for the Conflicker worm and might need to download it from a computer that is not infected.

One such tool is the F-Secure F-Downadup tool [10].  It is a command line tool with two options to run, (1) detect (the default), (2) detect and disinfect.  If it detects an infection, see "How Do I Clean a Computer That is Infected with Conflicker" below.

How Do I Clean a Computer That is Infected with Conflicker

Unfortunately, the worm is difficult to remove because it disabled virus protection and blocks access to security web sites.  If USB drives have been infected, they might reinfect computers that have been cleaned.  If poor administrator passwords are used, systems might get reinfected over a local network.

The Romanian BitDefender claims to have a solution [11] that uses a web domain that is not blocked by the worm, but you might need to access the tool by IP address if the worm eventually blocks access.

Other tools might have to be downloaded on a computer that is not infected and then transported to the infected computer.  Be careful when trying to repair a computer that is infected with Conflicker as it infects USB flash drives; then just mounting the USB drive in another system could infect that system (if autorun has not been disabled for USB drives).

Kaspersky has a removal tool named kidokiller [12].  You'll probably have to download it from a computer that is not infected.

The Microsoft Malicious Software Removal Tool (MSRT) [13] March 2009 version can fix variant B.

The F-Secure F-Downadup tool [10] can disinfect.  Read the instructions included in the downloaded zip file carefully before starting.  Run the tool with the command line:

   f-downadup.exe --disinfect

Of course, the patch for the underlying vulnerability needs to be installed to prevent reinfection.


McAfee: W32/Conficker.worm

Microsoft: Worm:Win32/Conficker.C

Symantec: W32.Downadup.C

Kaspersky: Net-Worm.Win32.Kido

Symantec Blog: W32.Downadup.C Digs in Deeper

[1] ComputerWorld: Downadup worm now infects 1 in every 16 PCs

[2] SRI International Conflicker C Analysis

[3] Microsoft $250,000 Reward for Conflicker Worm Authors

[4] Microsoft Security Bulletin MS08-067

[5] Sophos Blog: Passwords used by Conflicker

[6] ISC Handler Diary: Conficker's autorun and social engineering

[7] Symantec Blog: AutoPlay Worms

[8] Hackology Blog: Autorun.INF/AutoPlay & Downadup USB Worm

[9] NY Times: Computer Experts Unite to Hunt Worm (registration required)

[10] F-Secure: D-Downadup Tool

[11] BitDefender: BDTOOLS.NET Remove Downadup (aka Conficker or Kido)

[12] Kaspersky: kidokiller

[13] Microsoft Malicious Software Removal Tool

Managed Services

Based on the criticality, IT Professional Services performed an emergency deployment of the update to protect from the Conflicker worm to all systems under managed care.

Professional Services

If you need assistance installing protection from this worm, a security assessment, or disinfecting computers, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030