Win32/Conficker

Severe |Detected with Windows Defender Antivirus

Aliases: TA08-297A (other) CVE-2008-4250 (other) VU827267 (other) Win32/Conficker.A (CA) Mal/Conficker-A (Sophos) Trojan.Win32.Agent.bccs (Kaspersky) W32.Downadup.B (Symantec) Trojan-Downloader.Win32.Agent.aqfw (Kaspersky) W32/Conficker.worm (McAfee) Trojan:Win32/Conficker!corrupt (Microsoft) W32.Downadup (Symantec) WORM_DOWNAD (Trend Micro) Confickr (other)

Summary

Microsoft security software detects and removes this threat.

This family of worms can disable several important Windows services and security products. They can also download files and run malicious code on your PC if you have file sharing enabled.

Conficker worms infect PCs across a network by exploiting a vulnerability in a Windows system file. This vulnerability is described and fixed in Security Bulletin MS08-067.

Some worms can also spread via removable drives and by using common passwords.

Find out ways that malware can get on your PC.

Threat behavior

Variant comparison

There are several variants of Conficker, summarized in the table below. Also see the individual descriptions for each variant for more information.

Variant	Spreads by...	Payload
Worm:Win32/Conficker.A Discovered date: 21 November 2008 Payload trigger date: 25 November 2008	Exploits the vulnerability outlined in Security Bulletin MS08-067	Generates 250 URLs daily that it checks for updates Resets System Restore Point
Worm:Win32/Conficker.B Discovered date: 29 December 2008 Payload trigger date: 1 January 2009	Same as .A variant, plus: Network shares with weak passwords Mapped and removable drives Uses a scheduled task to run copies of the worm on targeted PCs	Same as .A variant (although with a different way of generating URLs), plus: Blocks access to many security-related websites Changes your PC's settings Stops system and security services
Worm:Win32/Conficker.C Discovered date: 20 February 2009 Payload trigger date: 1 January 2009	Same as .B variant.	Same as .A and .B variants, plus: Additional method for downloading files that uses peer-to-peer communications Adds checks to verify the authenticity/validity of content targeted for download
Worm:Win32/Conficker.D Discovered date: 4 Mar 2009 Payload trigger date: 1 April 2009	Spreading functionality removed. Distributed as an update to PCs already infected with the .B and .C variants.	Same as .A and .B variants, plus: Generates 50,000 URLs to download files from, but only visits 500 within a 24-hour period Expands on efforts to hinder its removal from your PC: Stops more system and security services Blocks more security-related websites
Worm:Win32/Conficker.E Discovered date: 8 April 2009 Payload trigger date: No date	Spreading functionality added. Same as .A variant, plus: Network shares with weak passwords	Blocks access to many security-related websites Changes your PC's settings Stops system and security services Deletes itself on May 3

The name of this family was derived from trafficconverter.biz, a string found in the Worm:Win32/Conficker.A variant.

Win32/Conficker

Summary

What to do now

Additional recovery steps

Get more help

Technical information

Threat behavior

Variant comparison

Prevention

Symptoms

Safety tips

Latest news