Loading...

Knowledge Center


How to combat W32/Conficker worm
Technical Articles ID:  KB60909
Last Modified:  03/18/2014
Rated:


Environment

McAfee AntiSpyware Enterprise 8.x
McAfee Labs (AVERT)
McAfee Labs Stinger
McAfee SaaS Endpoint Protection 5.x
McAfee VirusScan Enterprise 8.x

W32/Conficker (all variants)
W32/Conficker.worm
W32/Conficker.worm.gen.a
W32/Conficker.worm.gen.b
W32/Conficker.worm.gen.c
W32/Conficker.worm.gen.d
W32/Conficker.worm!inf
Top viruses and vulnerabilities in the wild

Summary

W32/Conficker is a worm with multiple variants. It exploits a buffer overflow vulnerability in the Server Service on Windows computers. McAfee has named the most recently discovered variant of this worm as W32/Conficker.worm.gen.d.

W32/Conficker is listed under Top Corporate User Malware in the McAfee Threat Library (http://www.mcafee.com/us/mcafee-labs/threat-intelligence.aspx). Also see our Conficker page http://www.mcafee.com/us/threat_center/conficker.html.

The original W32/Conficker.worm attacks port 445, the port that Microsoft Directory Service uses, and exploits Microsoft Windows vulnerability MS08-067. For instructions on how to download and apply the Microsoft Security Patch for this vulnerability, see Microsoft Security Bulletin http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.

When the worm infects a system, it disables several critical security services including:

  • Windows Automatic Update
  • Windows Security Center
  • Windows Defender
  • Windows Error Reporting
The W32/Conficker worm attaches itself to several prominent Windows processes including:
  • svchost.exe
  • explorer.exe
  • services.exe
It also connects to a remote server for additional commands. It can receive instructions to propagate to other systems, gather personal information, or to download and install additional malware on the infected system.

See the Conficker- Note to Customers document attached to this article for more information and links to other resources.

Solution

IMPORTANT: See the Combating W32 Conficker worm document attached to this article for detailed information on detecting and removing the W32/Conficker.worm.

W32/Conficker.worm attack symptoms
  • Blocks access to security-related web sites
  • User lockouts
  • Traffic on port 445 on non-Directory Service servers
  • No access to admin shares
  • Autorun.inf files in recycled directory
Characteristics
  • When run, the worm copies itself using a random name to the %Sysdir% folder (where %Sysdir% is the Windows system folder, for example, C:\Windows\System32).
  • Some variants use these alternative file locations:

    %ProgramFiles\Internet Explorer
    %ProgramFiles\Movie Maker
    %temp%
    c:\documents and settings\all users\application data

Variants

Threat name Up-to-date Threat Library description Comments
W32/Conficker.worm http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=153464  
W32/Conficker.worm.gen.a http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=153711  
W32/Conficker.worm.gen.b http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=153710  
W32/Conficker.worm.gen.c http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=154253 Triggered April 1, 2009
W32/Conficker.worm.gen.d http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=154258 For more information see the McAfee Labs blog: http://blogs.mcafee.com/mcafee-labs/new-conficker-variant.
W32/Conficker.worm!inf http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=153724  
W32/Conficker, all variants W32/Conficker and variants  List of all W32/Conficker virus variants


What to do next
  1. Follow the instructions on the McAfee Threat Center page dedicated to Conficker: http://www.mcafee.com/us/threat-center/conficker.aspx.
  2. Download and apply the latest consolidated McAfee Labs Stinger tool from http://www.mcafee.com/us/downloads/free-tools/stinger.aspx.
  3. Use the McAfee Conficker Detection Tool available from http://www.mcafee.com/us/threat-center/confickertest.aspx.
  4. McAfee strongly recommends blocking the following URL* on your Internet gateway: hxxp://goodnewsdigital.com/fxxx4.exe

    NOTE: This link has been formatted to avoid accidental infection. Therefore, replace hxxp with http and xxx (in fxxx4.exe) with uck
IMPORTANT: See the Combating W32 Conficker worm document attached to this article for detailed information on detecting and removing the W32/Conficker.worm.

Attachment 1

Combatting_W32_Conficker_worm.pdf
3.6MB • 11 minute(s) @ 56k, < 1 minute @ broadband


Attachment 2

Conficker- Note to Customers.pdf
86K • < 1 minute @ 56k, < 1 minute @ broadband


Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.