One of the traits of the Conficker worm is the blocking of url strings. This includes urls of antivirus companies, Microsoft and support sites that could aid users in removing the Conficker worm from a computer system. Users with the worm cannot open the websites in their web browser anymore and this is the exact concept of the Conficker Eye Chart. It displays six images on the website. Three images from urls that are not blocked by Conficker and three that are blocked.

If the web browser is displaying all six urls it is very likely that Conficker has not infected the computer system. If only the safe three images are displayed an infection with the C variant of Conficker is likely while the display of four images hints at A and B variants of Conficker.

The major benefit of this Conficker detection test is its simplicity. It takes only a web browser and a few seconds to test if the computer system has been infected. It is still a good idea to confirm the findings by using a software detection program which you can find here.

Related posts

• Conficker Worm Detection And Removal (8)
• Which Programs Should I Run To Scan A Computer For Malicious Software? (13)
• What You Should Do After Buying A New Computer System (18)
• US Military Bans Removable Media To Stop Computer Worm (2)
• Test your Anti-virus program (10)

Conficker C will initiate a number of processes on infected host systems including opening a random port which is being used in the distribution process of the worm. The worm will then patch the security hole on the computer system that allowed it to attack the system in first place. This prevents other viruses from exploiting the vulnerability while keeping a backdoor open for newer variants of the Conficker worm. The worm will block certain strings from being accessed on the Internet. Domain names making use of those strings cannot be accessed unless the IP is used to do so. Among the strings are various security companies like microsoft, panda or symantec but also generic strings like defender, conficker or anti-. This is to prevent users from accessing websites that contain information and removal instructions about the worm.

While this is surely a nuisance for the user it does mean that the worm itself is not harming the user system in any way other than the methods described above. The real danger comes from the updating mechanism of Conficker C. The worm will try to retrieve new instructions on April 1, 2009. A very sophisticated updating mechanism has been implemented by the author. The worm will generate a list of 50K domain names and append a list of 116 top level domains to them. It will then select 500 randomly from the list and try to connect to them. If new instructions are found on one of the urls it will download them and execute them on the computer system. This process will be repeated every 24 hours.

The easiest way of detection is by accessing a site like microsoft.com or symantec.com and comparing the results with accessing the site using the IP addresses (207.46.197.32 and 206.204.52.31). While this usually gives a good indication it is better to check the computer system with tools that have been specifically designed to detect and remove the Conficker variants.

A few tools that can be used to detect and remove Conficker variants are ESET Conficker Removal Tool, Downadup from F-Secure or KidoKiller by Kaspersky.

Excellent information about Conficker detection and removal instructions are available at Sans.org.

Related posts

• Windows Process Blocker SPKiller (1)
• Windows Process Blocker (9)
• Test Possible Conficker Infection In Your Web Browser (5)
• Security and Privacy Complete (2)
• Microsoft Security Essentials Leaks (8)