Conficker Worm – FYI (Alert!)

Posted on Updated on

The Conficker Worm is the latest buzz right now in IT security. Conficker, initially just considered a trojan but now considered a worm, is now said to have the ability to identify antivirus software and/or malware scanners running on the infected PC along with the ability to disable the identified applications.

Side note: Trojan horses are files claiming to be something desirable but actually contain malicious code that when triggered cause loss, or even theft, of data. Worms, on the other hand, are programs that replicate themselves from system to system without the use of a host file. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any human action.

Worm:Win32 Conficker - Photo Credit: Wikipedia

Conficker, also known as Downup, Downadup and Kido, is a very sophisticated worm that surfaced in October 2008 and took advantage of a security hole in the Microsoft Windows operating system. It is also known by the following names:

TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.worm.62976 (AhnLab)
Trojan.Downloader.JLIW (BitDefender)
Win32/Conficker.A (CA)
Win32/Conficker.A (ESET)
Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
W32/Conficker.worm (McAfee)
W32/Conficker.E (Norman)
W32/Confick-A (Sophos)
W32.Downadup (Symantec)
Trojan.Disken.B (VirusBuster)

So what does it do?

Dong Ngo from CNET wrote:

The hole affected all 32-bit and 64-bit Windows operating systems even those with latest service packs. The hole allowed the virus to infect the computer without any user interaction via the Internet, local network or USB thumb drives. Once infected, it stops the computer’s security services as well as Windows update service and disabled tools and software designed to remove it. Apart from that, the worm also allows the creator to remotely install other malicious codes on the infected computer.

Consequently, the worm is programmed to update itself from domains it randomly generates. By April 1, 2009, the mount of domains the worm generates and goes to  find update could grow to 50,000 a day. The owner of the virus only needs to use one of these domains to host the update. This makes it virtually impossible for authorities to track the source of the update.

Now, what do we do?

Applying the MS08-087 patch to Windows would have been sufficient initially, but unfortunately, it may not be that simple now. Antivirus applications are trying their best to keep up and provide solutions that will remove the malware, but as previously mentioned, those are being shut down by the worm. Still, I suggest regularly updating your antivirus software especially as April 1st , the presumed date of worm activation, looms near.

Michael Kassner wrote on TechRepublic:

Officially, the only real resolution is to reformat and reload, especially since Conficker.C still resides at the application level. If the developers decide to bury the malware in the BIOS or SMM, it could get ugly.

I would just suggest to constantly keep yourself updated for whatever developments experts will find so you would know what to do just in case.

Photo Credits: Wikipedia;


One thought on “Conficker Worm – FYI (Alert!)

    […] Conficker Worm? Hopefully, no. 1 04 2009 To know if you’re actually infected by the Conficker Worm, a fast way is to try visiting any major security software publisher’s site such as AVG, McAfee, […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s