The conficker virus – 9 million PCs and counting

What is conficker and what does it do?

It’s a worm/virus that will infect computers via a vulnerability (MS08-067) in any Windows XP or Vista machines if the computer hasn’t been patched with the patch Microsoft released back in October/November.  Once infected, the virus:

  • Embeds itself into the system services and makes some changes to the registry in order to run constantly, including after reboots.
  • Disables antivirus and other security services, as well as blocks websites related to those services.
  • Disables system restore and deletes all restore points making the recovery process that much more difficult.
  • Opens the infected machine to more infections.
  • Scans the subnet the infected computer is on for vulnerable machines and passes the infection on by creating an HTTP server for the new victim to download it from.
  • Also copies itself to any usb drives, making the potential for spreading on networks much higher.
  • Can crack weak passwords to accounts and lock you out of your own files and folders.
  • It also schedules tasks and edits the autorun.inf file enabling it to re-activate after a computer is “cleaned.”

How do I know if my computer is infected?

I mentioned a few noticeable things above but here are the things an average computer user would notice:

  • The computer will feel much more sluggish than normal.
  • Your internet connection might become much slower as well.
  • You may not be able to log into your computer.  If the password is weak it could crack it and lock you out.
  • Automatic Windows updates will not work.
  • You may not be able to get to any websites related to virus scanner updates or Windows updates.
  • This virus is known to disable any security software you have – firewalls or virus scanners.

What can I do to protect myself?

  1. Run a Windows update to make sure your computer has the patch installed.
  2. Windows XP
    Open Internet Explorer  -> go to the tools menu -> click on windows update -> choose express and download all suggested updates.

    Windows Vista
    Click on your start menu -> in the search box type windows update -> click check for updates in the left column and download any important updates.

  3. Update your virus scanner and run a scan to be safe.  If you do not have a scanner I personally like AVG free.  Symantec has a new thing called Norton Security Scan which is also free.  I’ve never tried it so I don’t have an opinion about it.

What if my computer is infected?

Run a virus scan in safe mode (hold F8 down when restarting the computer).  Safe mode is used in times like this because nearly every service and program that typically runs whenever you turn your computer on will be turned off, making it easier for the scanner to remove any infections.  Microsoft suggests downloading their Windows Malicious Software Removal Tool.  If you have a Norton product you can go here for information on how to remove it.  McAfee also has information, although not very helpful in my opinion.  In some instances the virus scanner may not be able to remove the infection so a more technical solution is needed.

F-Secure is the only company I’ve found so far that has an actual removal tool specifically for this virus/worm, but it is in the beta stage so be careful using it if you choose to do so.  I just ran it on my laptop without any issues.  If I come across someone at work who has this I’ll have no problem using it if a normal virus scan is unable to help.  Especially since it sounds like unless your scanner can remove it, all you can do is reformat so you don’t have much to lose.

More information can be found at and BBC News.  If you’re a geek like me F-Secure is keeping track of the number of infections and also has a list of domains network admins can block to help prevent this from spreading.

3/31/09: With yet another explosion in news coverage I’m adding a couple more removal tool links from F-Secure.  The one linked to above is no longer a beta version.  They are all for different variants of this same virus.

Everything in the article is still accurate, the basic behavior hasn’t changed at all.  I heard that the security professionals haven’t been able to reverse engineer the virus so they don’t even know what is supposed to happen on April 1st.  That leads me to a question, if they haven’t reversed engineered it to figure out exactly what it does, where did the doomsday date of April 1st come from?

Removal tool #2

Removal tool #3

, ,

  1. #1 by jvortega on March 8, 2009 - 6:05 PM

  2. #2 by Phil Barnhart on February 1, 2009 - 3:37 PM

    Not only can this virus disrupt your PC, since it can disable your ability to connect to software update sites it leaves you vulnerable to even more malware. You need to do more than simply disable Autorun if you already have this virus! Tools and links to help fix are available at

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: