A malicious software program known as Conficker that many feared would wreak havoc on April 1 is slowly being activated, weeks after being dismissed as a false alarm, security experts said. Conficker, also known as Downadup or Kido, is quietly turning thousands of personal computers into servers of e-mail spam and installing spyware, they said. The worm started spreading late last year, infecting millions of computers and turning them into “slaves” that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.
- Is my computer infected with the Conficker worm? Probably not. Microsoft released a security update in October 2008 (MS 08-067) to protect against Conficker. If your computer is up-to-date with the latest security updates and your antivirus software is also up-to-date, you probably don’t have the Conficker worm. If you are still worried about Conficker, follow these steps:
- 1. Go to http://update.microsoft.com/microsoftupdate to verify your settings and check for updates.
- 2. If you can’t access http://update.microsoft.com/microsoftupdate, go to http://safety.live.com and scan your system.
- 3. If you can’t go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
- What does the Conficker worm do? To date, security researchers have discovered the following variants of the worm in the wild.
- Win32/Conficker.A was reported to Microsoft on November 21, 2008.
- Win32/Conficker.B was reported to Microsoft on December 29, 2008.
- Win32/Conficker.C was reported to Microsoft on February 20, 2009.
- Win32/Conficker.D was reported to Microsoft on March 4, 2009.
- Win32/Conficker.E was reported to Microsoft on April 8, 2009.
- Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives).
- The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option. The Conficker worm can also disable important services on your computer. In the screenshot of the Autoplay dialog box below, the option Open folder to view files — Publisher not specified was added by the worm.
- The highlighted option — Open folder to view files — using Windows Explorer is the option that Windows provides and the option you should use. How does the Conficker worm work? Here’s an illustration of how the Conficker worm works. How do I remove the Conficker worm? If your computer is infected with the Conficker worm, you may be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain Web sites, such as Microsoft Update. If you can’t access those tools, try using the Windows Live safety scanner.
- Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?
- • For additional information, see Centralized Information About the Conficker Worm.
- • For more technical information about the Conficker worm, see the Microsoft Malware Protection Center Virus Encyclopedia.
- • Bookmark the Microsoft Malware Protection Center portal and the Microsoft Malware Protection Center blog for updated information.
- • For symptoms and detailed information about how to remove the Conficker worm, see Help and Support: Virus alert about the Conficker Worm.
- • To continue to get updated information on security, sign up for the Microsoft Security for Home Computer Users newsletter. For more information, see How to prevent computer worms and How to remove computer worms. Its unidentified creators started using those machines for criminal purposes in recent weeks by loading more malicious software onto a small percentage of computers under their control, said Vincent Weafer, a vice president with Symantec Security Response, the research arm of the world’s largest security software maker, Symantec Corp. He said that while he believes the number of infected machines that have become active is relatively small, he expects a consistent stream of attacks to follow, with other types of malware distributed by Conficker’s authors. “Expect this to be long-term, slowly changing,” Weafer said of the worm. “It’s not going to be fast, aggressive.” Conficker installs a second virus, known as Waledac, that sends out e-mail spam without knowledge of the PC’s owner, along with a fake anti-spyware program, Weafer said. Related Stories • Conficker Worm Hits University of Utah Computers
- • Conficker Reportedly Updates Itself • Feared PC Virus Activates Harmlessly — So Far
- • How to Protect Yourself From the Conficker Virus • PC Virus ‘Time Bomb’ Set to Go Off at Any Moment • Computer Virus ‘Time Bomb’ Could Go Off April 1 The Waledac virus recruits the PCs into a second botnet that has existed for several years and specializes in distributing e-mail spam. Conficker also carries a third virus that warns users their PCs are infected and offers them a fake anti-virus program, Spyware Protect 2009 for $49.95, according to Russian-based security researcher Kaspersky Lab. If they buy it, their credit card information is stolen and the virus downloads even more malicious software. “This is probably one of the most sophisticated botnets on the planet. The guys behind this are very professional. They absolutely know what they are doing,” said Paul Ferguson, a senior researcher with Trend Micro Inc, the world’s third-largest security software maker. He said Conficker’s authors likely installed a spam engine and another malicious software program on tens of thousands of computers since April 7. He said the worm will stop distributing the software on infected PCs on May 3 but more attacks will likely follow. “We expect to see a different component or a whole new twist to the way this botnet does business,” said Ferguson, a member of The Conficker Working Group, an international alliance of companies fighting the worm. Researchers had feared the network controlled by the Conficker worm might be deployed on April 1 since the worm surfaced last year because it was programed to increase communication attempts from that date. The security industry formed the task force to fight the worm, bringing widespread attention that experts said probably scared off the criminals who command the slave computers. The task force initially thwarted the worm using the Internet’s traffic control system to block access to servers that control the slave computers. Viruses that turn PCs into slaves exploit weaknesses in Microsoft’s Windows operating system. The Conficker worm is especially tricky because it can evade corporate firewalls by passing from an infected machine onto a USB memory stick, then onto another PC. The Conficker botnet is one of many such networks controlled by syndicates that authorities believe are based in eastern Europe, Southeast Asia, China and Latin America.
This article is from Foxnews.com April 27, 2009
Microsoft information was also obtained from the foxnews.com article