Follow:

 

Win32/Conficker


Microsoft security software detects and removes this threat.

This family of worms can disable several important Windows services and security products. They can also download files and run malicious code on your PC if you have file sharing enabled.

Conficker worms infect PCs across a network by exploiting a vulnerability in a Windows system file. This vulnerability is described and fixed in Security Bulletin MS08-067.

Some worms can also spread via removable drives and by using common passwords.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Additional recovery steps

You might not be able to connect to websites related to security applications and services that can help you remove this worm.

Microsoft Help and Support have provided a detailed guide to removing a Conficker infection from an infected PC, either manually or by using the Malicious Software Removal Tool (MSRT).

More information about deploying MSRT in an enterprise environment can be found here:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Variant comparison

There are several variants of Conficker, summarized in the table below. Also see the individual descriptions for each variant for more information.

Variant Spreads by... Payload
Worm:Win32/Conficker.A
Discovered date:
21 November 2008
Payload trigger date:
25 November 2008
Exploits the vulnerability outlined in Security Bulletin MS08-067
  • Generates 250 URLs daily that it checks for updates
  • Resets System Restore Point

Worm:Win32/Conficker.B
Discovered date:
29 December 2008
Payload trigger date:
1 January 2009

Same as .A variant, plus:

  • Network shares with weak passwords
  • Mapped and removable drives
  • Uses a scheduled task to run copies of the worm on targeted PCs

Same as .A variant (although with a different way of generating URLs), plus:

  • Blocks access to many security-related websites
  • Changes your PC's settings
  • Stops system and security services
Worm:Win32/Conficker.C
Discovered date:
20 February 2009
Payload trigger date:
1 January 2009
Same as .B variant.

Same as .A and .B variants, plus:

  • Additional method for downloading files that uses peer-to-peer communications
  • Adds checks to verify the authenticity/validity of content targeted for download
Worm:Win32/Conficker.D
Discovered date:
4 Mar 2009
Payload trigger date:
1 April 2009

Spreading functionality removed.

Distributed as an update to PCs already infected with the .B and .C variants.

Same as .A and .B variants, plus:

  • Generates 50,000 URLs to download files from, but only visits 500 within a 24-hour period
  • Expands on efforts to hinder its removal from your PC:
    • Stops more system and security services
    • Blocks more security-related websites
Worm:Win32/Conficker.E
Discovered date:
8 April 2009
Payload trigger date:
No date

Spreading functionality added.

Same as .A variant, plus:

  • Network shares with weak passwords
  • Blocks access to many security-related websites
  • Changes your PC's settings
  • Stops system and security services
  • Deletes itself on May 3

The name of this family was derived from trafficconverter.biz, a string found in the Worm:Win32/Conficker.A variant.


Symptoms

The following could indicate that you have this threat on your PC:

  • The following services are disabled or fail to run:

    Background Intelligence Transfer Service
    Error Reporting Service
    Windows Defender
    Windows Error Reporting Service
    Windows Security Center Service
    Windows Update Auto Update Service

  • Some accounts might be locked due to the following registry modification, which might flood the network with connections:

    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "TcpNumConnections" = "0x00FFFFFE"

  • You might not be able to connect to websites or online services that contain the following:

    ahnlab
    arcabit
    avast
    avira
    castlecops
    centralcommand
    clamav
    comodo
    PCassociates
    cpsecure
    defender
    drweb
    emsisoft
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    gdata
    grisoft
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    malware
    mcafee
    microsoft
    networkassociates
    nod32
    norman
    norton
    panda
    pctools
    prevx
    quickheal
    rising
    rootkit
    securecomputing
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    threatexpert
    trendmicro
    virus
    wilderssecurity
    windowsupdate


Prevention


Alert level: Severe
This entry was first published on: Jan 08, 2009
This entry was updated on: Oct 15, 2014

This threat is also detected as:
  • TA08-297A (other)
  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Win32/Conficker.A (CA)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Agent.bccs (Kaspersky)
  • W32.Downadup.B (Symantec)
  • Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
  • W32/Conficker.worm (McAfee)
  • Trojan:Win32/Conficker!corrupt (Microsoft)
  • W32.Downadup (Symantec)
  • WORM_DOWNAD (Trend Micro)
  • Confickr (other)