Conficker computer worm infections soar

January 19, 2009

New reports indicate that the proliferation of the Conficker computer worm (also known as Kido or Downadup) has nearly quadrupled in the last four days. The worm has gone from just over 2 million Microsoft Windows computers infected to 8.9 million, according to estimates by anti-virus company F-Secure. Though Microsoft issued a patch with a severity rating of "critical" in mid-October 2008, just days after Conficker was first discovered, many business computers still have not applied the patch. Most to all of the infected computers are on corporate networks; Conficker cannot spread through the Internet or e-mails. Instead, when an infected laptop connects to a corporate network, the worm searches for vulnerable computers and attempts to guess its password. Conficker also infects any network shares the user may be connected to. The worm has a list of about one hundred common passwords, including "password" and "qwerty". Conficker also infects USB sticks, which then infect any Microsoft Windows computer the stick is plugged in to.

After it gains access to the computer, Conficker adds itself to the Windows processes "services.exe", "explorer.exe" and "svchost.exe", then makes a copy of itself as a DLL file with a random five- to eight-character name. The worm also disables Windows services such as Windows Update and Windows Defender. Conficker also blocks access to most security-related sites, including Windows Update. The worm then checks several websites for the current date, then generates a domain name based on that date and downloads infected files from that domain. This domain is believed to be in Ukraine. Conficker makes itself very hard to remove by registering the downloaded files as kernel drivers and the DLL copy of itself of a service.

Microsoft has advised users to install the patch (security bulletin MS08-067), then run the latest edition of the Windows Malicious Software Removal Tool.