Computer Safety Tip

Federal Information About the Conficker Worm

February 2, 2009 Computer Safety Tip

So far, only two variants of the worm have been discovered. First one, Worm:Win32/Conficker.A, was reported in

conficker worm

Nov 2008 and propagates only by exploiting the vulnerability addressed by security update MS08-067.
Second, Worm:Win32/Conficker.B, was reported Dec 2008.

This variant uses multiple probation methods:

1.    It endeavors to infect other computers on the network by exploiting MS08-067. Uncompleted security updates on all Windows computers are vulnerable.
2.    It  attempts to copy itself to the ADMIN$ share of the target machine, which is the Windows folder by default. It tries using the identification of the currently logged on user. This method would work if the same user account is used for different computers on the network, as long as that account has administrative rights. If it fails, it tries a different method in obtaining a list of user accounts on the target machine and attempts to connect using each user name and a list of weak passwords. If one of these combinations work and that account has write permissions, it copies itself to the ADMIN$ folder.
3.    It can also copy itself to removable media such as USB drives and other portable storage. It adds an INF file so when the removable is used, the AutoPlay dialog will show one additional option. “Open folder to view files – Publisher not specificied” is the one added by the worm  while the highlighted option “Open folder to view files – using Windows Explorer” is the one that Windows provides. If user selects the first option, the worm performs.

Conficker also makes several configuration changes so that it runs every time Windows starts. It adds itself as a service and also adds a registry value under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It also terminates various services which should be re-enabled. Worm:Win32/Conficker.B attempts to terminate any process which has a name which seems to indicate that it is an antivirus program or other security software. It also blocks access to the web sites of many antivirus and security vendors and to Windows Update.

Customers need to take multiple measures to minimize the risk of getting infected with the worm:

Fully Install the MS08-067 update on all Windows computers in your environment.
Use an antivirus product that has solid detection of Conficker. Such an antivirus program should be able to block the worm from copying itself to other machines, e.g. Microsoft Forefront Client Security and Windows Live OneCare can detect and block this worm. Use strong passwords both for any user account and also for any file share in your environment. Make the choice that works best for you regarding AutoPlay options.

If you have a network which has been infected by this threat, use the steps above to harden your environment.

Tags: Conficker, Conficker.B, delete Conficker, delete Win32/Conficker.B, exploiting MS08-06, remove Conficker, remove Win32/Conficker.B, Win32/Conficker.A, Windows, worm