Conficker/Downadup Worm set to update on April 1, 2009
The newest version of the Conficker Worm, a.k.a. Downadup, said to have already infected over 10 million PCs, is programmed to begin contacting a huge list of new domain names, beginning on April 1, 2009. Each PC that is currently infected with the most recent variant of this Worm will begin generating a list of 50,000 domain names, many of which might be registered by the criminals behind this Worm. It will then pick names it generates on each infected computer and try to contact that domain, for further instructions, or program updates. If those domains are in fact active and under the control of the Botmasters running the Conficker Worm, updates will be sent to all of the PCs making contact on, or after April 1. Those updates are probably going to make it more difficult to disinfect these PCs, or to contact any security websites for malware removal tools.
If you are not already infected it is because you took the proper preventative measures last October 23, 2008. That was the date that Microsoft released a sudden, out-of-cycle critical update, in security bulletin MS08-067 and Windows Update patch kb958644, which plugged a vulnerability in the Windows Server Service. That vulnerability is what was exploited by the first two releases of the Conficker Worm (Conficker.A and .B). Since most Windows users who run legitimate copies of Windows have set their computers to receive and apply Automatic Windows Updates, they were protected when the Worm was first released in the wild, in November, 2008.
However, people who turned off Automatic Updates because they don't trust Microsoft updates, or because they are using pirated copies of Windows and don't want to get nagged about it, probably got hit by this Worm, soon after its release. The highest percentages of Conficker infections occurred in countries with the highest numbers of pirated Windows operating systems. These nations include China, Russia, Argentina, and Brazil.
I would like to point out that there is another group of vulnerable people, who may not realize that they are critically exposed to the Conficker Worm (and the likes). These are legitimately licensed users of Windows XP, or newer, who had to reinstall their operating systems to fix other problems or malware infections, any time after the MS08-067 patch was released. If you let any significant time elapse between reinstalling Windows and then obtaining all available patches, especially MS08-067, you could have been exposed to a Conficker attack and possibly been infected and don't know it yet (not likely - the Worm causes noticeable trouble on a PC). This is why I always make my first Internet connection after validation to Windows Updates (repeatedly, until all patches have been installed)!
If you want to know if your Windows PC is infected just try to go to Windows Updates, either via the link in your Start Menu, or using the link in Internet Explorer, under Tools. If you can't open Windows Updates at all, but can visit other non-security related websites (Yahoo, MSN, CNN, etc), you just may be Confickered. To find out for sure you should run scans with any anti virus software you have installed. Try to update it first, before scanning. If you are already infected with Conficker.B, or Conficker.C, you will not be able to update most anti virus definitions at all. This is caused by the Worm denying access to any website run by any major security vendor.
If this is the case for your PC(s) there is a downloadable Conficker Removal Tool available from Bit Defender, that removes Conficker A, B and C variants. The removal tool is available here. There is also an online scanner on the landing page, which you can run to see if you are indeed infected. If the Bit Defender page is inaccessible, here is the URL for the online scanner: http://91.199.104.31
Note, that licensed users of Trend Micro Internet Security products are already protected against the Conficker threats.
I will have more to tell you about this Worm after tomorrow comes and goes. We will see what we shall see!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.