W32/Conficker is a worm with multiple variants. It exploits a buffer overflow vulnerability in the Server Service on Windows computers. McAfee Labs has named the most recently discovered variant of this worm W32/Conficker.worm.gen.d.
W32/Conficker is listed under Top Corporate User Malware in the Threat Library (http://www.mcafee.com/us/mcafee-labs/threat-intelligence.aspx).
The original W32/Conficker.worm attacks port 445, the port that Microsoft Directory Service uses, and exploits Microsoft Windows vulnerability MS08-067. For instructions on how to download and apply the Microsoft Security Patch for this vulnerability, see Microsoft Security Bulletin http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.
When the worm infects a system, it disables several critical security services including:
- Windows Automatic Update
- Windows Security Center
- Windows Defender
- Windows Error Reporting
The W32/Conficker worm attaches itself to several prominent Windows processes including:
- svchost.exe
- explorer.exe
- services.exe
It also connects to a remote server for additional commands. It can receive instructions to propagate to other systems, gather personal information, or to download and install additional malware on the infected system.
See the Conficker- Note to Customers document attached to this article for more information and links to other resources.