Follow:

 

Worm:Win32/Conficker.B!inf


Worm:Win32/Conficker.B!inf is the detection used for the autorun.inf files created by Conficker.B when it attempts to spread via mapped and removable drives. For more information, please see the Worm:Win32/Conficker.B description elsewhere in our encyclopedia.
 
Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 .


What to do now

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here .
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 .
 
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
 
Note: Computers infected by Conficker may be unable to connect to web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer in order to download any appropriate updates or tools and then transfer these to the infected computer.
 
Microsoft Help and Support have provided a detailed guide to removing a Conficker.B infection from an affected computer, either manually or by using the MSRT (Malicious Software Removal Tool).
 
For detailed instructions on how to manually remove Conficker.B, view the following article using an uninfected computer:
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker.B and manual removal instructions
 
Additional information on deploying MSRT in an enterprise environment can be found here:
http://support.microsoft.com/kb/891716 - Deployment of MSRT in an enterprise environment

Threat behavior

Worm:Win32/Conficker.B!inf is the detection used for the autorun.inf files created by Conficker.B when it attempts to spread via mapped and removable drives. For more information, please see the Worm:Win32/Conficker.B description elsewhere in our encyclopedia.
 
Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The following services are disabled or fail to run:
  • Windows Update Service
    Background Intelligent Transfer Service
    Windows Defender
    Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "TcpNumConnections" = "0x00FFFFFE"
  • Users may not be able to connect to websites or online services that contain the following strings:
  • virus
    spyware
    malware
    rootkit
    defender
    microsoft
    symantec
    norton
    mcafee
    trendmicro
    sophos
    panda
    etrust
    networkassociates
    computerassociates
    f-secure
    kaspersky
    jotti
    f-prot
    nod32
    eset
    grisoft
    drweb
    centralcommand
    ahnlab
    esafe
    avast
    avira
    quickheal
    comodo
    clamav
    ewido
    fortinet
    gdata
    hacksoft
    hauri
    ikarus
    k7computing
    norman
    pctools
    prevx
    rising
    securecomputing
    sunbelt
    emsisoft
    arcabit
    cpsecure
    spamhaus
    castlecops
    threatexpert
    wilderssecurity
    windowsupdate

Prevention


Alert level: Severe
First detected by definition: 1.49.1706.0
Latest detected by definition: 1.93.731.0 and higher
First detected on: Jan 09, 2009
This entry was first published on: Feb 12, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases