Conficker Virus – A simple check

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008. The worm uses a combination of advanced malware techniques which has made it difficult to counter.

 

Experts say it is the worst infection since the SQL Slammer. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers, however a conservative minimum estimate is more like 3 million which is more than enough to cause great harm.

 

Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.

 

The potential scale of infection is large because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008 to block this vulnerability.

 

Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. 

 

The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.

 

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.

 

It receives further instructions by connecting to a server or peer and receiving a binary update. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim’s computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.

 

Joe Stewart from SecureWorks has worked out an easy EyeChart for a quick check on whether your computer is infected by Conficker.  The EyeChart can be accessed at

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html.

 

 

And in case you are infected, check out the official Removal Tools at

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/RepairTools#toc4

 

And in case you are not infected, either thank your stars or thank your IT manager for keeping your network well patched.