What is Conficker?

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008. The worm propagated through the Internet by exploiting a vulnerability in the network stack of Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta.

The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

How to Check if you are Infected by Conficker?

Conficker.B and Conficker.C infections can be detected simply by surfing a web-page.

Conficker.A infections cannot be detected this way. Click here to check your system (for Conficker.B or Conficker.C) infection.

How to Remove Conficker?

Below are removal instruction and tools on how to remove conficker.

Removal Instructions

• Microsoft: http://support.microsoft.com/kb/962007
• Kaspersky: http://support.kaspersky.com/faq/?qid=208279973
• BitDefender: http://www.bitdefender.com/VIRUS-1000462-en–Win32.Worm
• TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/
• Sophos: http://www.sophos.com/support/knowledgebase/article/51416.html

Removal Tools

• Microsoft MSRT – http://www.microsoft.com/security/malwareremove/default.mspx
• F-Secure – ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
• Symantec – http://www.symantec.com/business/security_response/
• McAfee – http://vil.nai.com/vil/stinger/
• ESET – http://download.eset.com/special/EConfickerRemover.exe
• BitDefender – http://www.bdtools.net/
• Kaspersky – http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip
• TrendMicro – http://www.trendmicro.com/download/dcs.asp
• Sophos – https://secure.sophos.com/products/free-tools/conficker-removal/
• Sunbelt – http://www.sunbeltsecurity.com/DownLoads.aspx

Conficker Remote Scanners

• nmap - (nmap 4.85BETA5 now includes Conficker detection) http://insecure.org/
• nessus – http://www.nessus.org/plugins/index.php?view=single&id=36036
• McAfee – http://www.mcafee.com/us/enterprise/confickertest.html
• eEye – http://www.eeye.com/html/downloads/other/ConfickerScanner.html

Conficker Memory Disinfector

It is hard to identify files containing Conficker, because the executables are packed and encrypted. When Conficker runs in memory, it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.

The tool itself and the source code can be downloaded here:

conficker_mem_killer.exe – 594 K
memscan.zip – 8.4 K

Detecting Conficker Files and Registry

Despite other reports, the file names and registry keys Conficker.B and Conficker.C use are not random. They are calculated on the basis of the hostname. We have developed a tool that you can run on your system to check for Conficker’s Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.

It is at a very early development stage, but usable. We would be grateful to benefit from your changes if you develop it further.

Tool and source code are here:

regnfile.exe – 599 K
conficker_names.zip

Nonficker Vaccination Tool

Conficker uses different global and local mutexes to ensure that only the most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.

We have developed our Nonficker Vaccination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.

Removal instructions:

• Open your favorite registry editor (e.g. Start->Run…->regedit.exe->ok)
• Go to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
• Remove the “aaaaanonficker” from the “netsvcs” key
• Remove registry key and all sibling keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aaaaanonficker

Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.

Both tools and source code can be downloaded here:

nonficker.zip – 547 K
nonflicker_code.zip – 64 K

More information on using Network Scanner and Intrusion Detection Signatures. (via Universitat Bonn)