Follow:

 

Win32/Conficker


Microsoft security software detects and removes this threat.

This family of worms can disable several important Windows services and security products. They can also download files and run malicious code on your PC if you have file sharing enabled.

Conficker worms infect PCs across a network by exploiting a vulnerability in a Windows system file. This vulnerability is explained and resolved in Security Bulletin MS08-067.

Some worms can also spread via removable drives and by exploiting weak passwords.

Find out ways that malware can get on your PC.



What to do now

Microsoft strongly recommends that you:

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Additional recovery steps

You might not be able to connect to websites related to security applications and services that can help you remove this worm. For example, downloading antivirus updates might fail. In this case you will need to use an uninfected PC to download any appropriate updates or tools and then transfer these to the infected PC.

Microsoft Help and Support have provided a detailed guide to removing a Conficker infection from an infected PC, either manually or by using the Malicious Software Removal Tool (MSRT).

More information about deploying MSRT in an enterprise environment can be found here:

Threat behavior

Variant comparison

There have been several variants of Conficker detected. The following table summarizes and distinguishes the critical features of each variant:

Variant Spreads via... Payload Additional info
Worm:Win32/Conficker.A
Discovered date:
21 Nov 2008
Payload trigger date:
25 Nov 2008 and later
Exploiting the vulnerability outlined in Security Bulletin MS08-067

- Generates 250 URLs daily that it checks for updates
- Resets System Restore Point

The name of this family was derived by selecting fragments from
trafficconverter.biz,
a string found in this variant

Worm:Win32/Conficker.B
Discovered date:
29 Dec 2008
Payload trigger date:
1 January 2009 and later

In addition to the method used by the .A variant (above):
- Network shares with weak passwords
- Mapped and removable drives
- Uses a scheduled task to run copies of the worm on targeted PCs
In addition to the .A variant's payload (above - although .B uses a different method to generate URLs):
- Blocks access to many security-related websites
- changes your PC's settings
- Stops system and security services
This variant built on the functionality of the .A variant by adding new spreading mechanisms and by making itself more difficult to remove
Worm:Win32/Conficker.C
Discovered date:
20 Feb 2009
Payload trigger date:
1 January 2009 and later
Uses the same methods listed above for the .B variant In addition to the payloads listed above for .A and .B:
- Has additional method for downloading files that uses peer-to-peer communications
- Adds checks to verify the authenticity/validity of content targeted for download
Very similar to the .B variant in function (this variant has even been referred to as variant .B++)
Worm:Win32/Conficker.D
Discovered date:
4 Mar 2009
Payload trigger date:
1 April 2009 and later
No spreading functionality per se. Distributed as an update to PCs previously infected with the .B and .C variants In addition to the payloads listed above for .A and .B, with some variations:
- Generates 50,000 URLs to download files from This variant only visits 500 of the generated URLs within a 24-hour period
- Expands on efforts to hinder its removal from an affected PC
Spreading functionality was removed from this variant. It continues to expand on its file downloading payload and targets a broader range of processes to stop(appears to be targeting cleaning utilities designed specifically to remove Conficker). It also blocks access to additional security-related websites
Worm:Win32/Conficker.E
Discovered date:
8 Apr 2009
Payload trigger date:
No payload trigger date
In addition to the method used by the .A variant (above):
- Network shares with weak passwords
- Blocks access to many security-related websites
-changes your PC's settings
-Stops system and security services
- Deletes itself on May 3
This variant built on the functionality of the .A variant by adding new spreading mechanisms and by making itself more difficult to remove

The individual descriptions for each variant have more detailed analysis.


Symptoms

The following could indicate that you have this threat on your PC:

  • The following services are disabled or fail to run:

    Background Intelligence Transfer Service
    Error Reporting Service
    Windows Defender
    Windows Error Reporting Service
    Windows Security Center Service
    Windows Update Auto Update Service

  • Some accounts might be locked due to the following registry modification, which might flood the network with connections:

    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "TcpNumConnections" = "0x00FFFFFE"

  • You might not be able to connect to websites or online services that contain the following strings:

    ahnlab
    arcabit
    avast
    avira
    castlecops
    centralcommand
    clamav
    comodo
    PCassociates
    cpsecure
    defender
    drweb
    emsisoft
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    gdata
    grisoft
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    malware
    mcafee
    microsoft
    networkassociates
    nod32
    norman
    norton
    panda
    pctools
    prevx
    quickheal
    rising
    rootkit
    securecomputing
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    threatexpert
    trendmicro
    virus
    wilderssecurity
    windowsupdate


Prevention


Alert level: Severe
This entry was first published on: Jan 08, 2009
This entry was updated on: Apr 16, 2014

This threat is also detected as:
  • TA08-297A (other)
  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Win32/Conficker.A (CA)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Agent.bccs (Kaspersky)
  • W32.Downadup.B (Symantec)
  • Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
  • W32/Conficker.worm (McAfee)
  • Trojan:Win32/Conficker!corrupt (Microsoft)
  • W32.Downadup (Symantec)
  • WORM_DOWNAD (Trend Micro)
  • Confickr (other)