Conficker Worm Detection And Removal - gHacks Tech News

Conficker Worm Detection And Removal

By now you might have heard about the latest worm that is plaguing Internet users world wide. It goes by the name of Conficker (or Downadup)and comes in the variants A,B and C with c being the most evolved variant. To put it simple: Conficker uses a Windows vulnerability that was discovered in September 2008 and a patch was released by Microsoft that fixed it. The first worm that used the vulnerability was discovered in November 2008.

Conficker C will initiate a number of processes on infected host systems including opening a random port which is being used in the distribution process of the worm.

The worm will then patch the security hole on the computer system that allowed it to attack the system in first place. This prevents other viruses from exploiting the vulnerability while keeping a backdoor open for newer variants of the Conficker worm.

The worm will block certain strings from being accessed on the Internet. Domain names making use of those strings cannot be accessed unless the IP is used to do so. Among the strings are domains of various security companies like microsoft, panda or symantec but also generic strings like defender, conficker or anti-. This is to prevent users from accessing websites that contain information and removal instructions to find out more about or remove the worm.

While this is surely a nuisance for the user, it does mean that the worm itself is not harming the user system in any way other than the methods described above. The real danger comes from the updating mechanism of Conficker C. The worm will try to retrieve new instructions on April 1, 2009. A very sophisticated updating mechanism has been implemented by the author. The worm will generate a list of 50K domain names and append a list of 116 top level domains to them. It will then select 500 randomly from the list and try to connect to them. If new instructions are found on one of the urls it will download them and execute them on the computer system. This process will be repeated every 24 hours.

The easiest way of detection is by accessing a site like microsoft.com or symantec.com and comparing the results with accessing the site using the IP addresses (207.46.197.32 and 206.204.52.31). While this usually gives a good indication, it is better to check the computer system with tools that have been specifically designed to detect and remove the Conficker variants.

conficker removal

A few tools that can be used to detect and remove Conficker variants are ESET Conficker Removal Tool, Downadup from F-Secure or KidoKiller by Kaspersky.

Excellent information about Conficker detection and removal instructions are available at Sans.org.

Summary
Conficker Worm Detection And Removal
Article Name
Conficker Worm Detection And Removal
Description
The article provides you with information on the Conficker worm, and here especially on identification, what it does, and how to patch Windows PCs.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Paulus said on March 31, 2009 at 5:03 pm
    Reply

    Panda USB Vaccine is also a free solution designed to protect against this threat.
    http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

  2. KTecNet® said on March 31, 2009 at 10:11 pm
    Reply

    I use all this tools on a network to find and remove the Conficker.

    And I Like this ESET Conficker Removal. It´s really cool.

    I have just found this article .:

    Containing Conficker – Tools and Infos

    at .: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

    And it is really useful with some tools that can help to find if a computer or even a network is infected.

    I Hope it helps…

  3. Conficker Worm said on March 31, 2009 at 11:16 pm
    Reply

    I am observing a lot of people know about this worm well in advance as compared to any other threats in the past.

    Thanks to the media and the hype created for this worm.

  4. Rush said on April 1, 2009 at 12:23 am
    Reply

    That’s because this one has a countdown timer, and a big “to be continued” sign on it.
    I love the Panda Vaccine. It’s awesome and free (my favorite). I have it on every piece of removable storage media I own, (SD cards, External HDD, MP3players, etc) not just the USB.

  5. MWD said on April 1, 2009 at 2:27 am
    Reply

    Found great removal step by step , had luck removing stuff!
    http://www.livecrunch.com/2009/03/31/tips-and-tricks-how-to-remove-conficker-worm/

  6. Dels said on April 1, 2009 at 3:10 am
    Reply

    Now we are ready for “April Mop” attack from Conficker.C :D

  7. Emil Clerk said on April 1, 2009 at 1:32 pm
    Reply

    I cleaned my PC with a tool from bitdefender, you can find it at bdtools.net . They have 2 versions, one for single pc and one for network admins.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.