Conficker worm might originate in China

A Vietnamese security firm concludes that the Conficker worm has the same root as the Nimda, which the firm believes originated in China.

Wikipedia

Updated at 9:13 p.m. PDT with information provided by BKIS stating that its free version of BKAV antivirus software can remove the worm from any infected computer.

There's been a lot of fuss about the Conficker worm. And here's the a $250,000 question: what is the origin of the virus?

$250,000 is the amount of money Microsoft is putting up as a reward for any information leading to an arrest related to the case. Folks at BKIS, a Vietnamese security firm that makes the BKAV antivirus software , announced Monday that they found clues that the virus may have originated in China. Previously, there were rumors that it might have been from Russia or Europe.

The firm's conclusion is based on its analysis of the virus' coding. It found that Conficker's code is closely related to that of the notorious Nimda, a virus that wreaked havoc on the Net and e-mail in 2001. At that time, BKIS determined that Nimda was made in China, based on the firm's own data.

It's important to note that the origin of Nimda was never verified. Though Nimda contained text indicating that it may have originated from China, that is in no way hard evidence.

Even if this finding by BKIS is credible, it's hardly good news, as it does little to help the authorities lay their hands on whomever is responsible for creating the virus. What it does is narrow in on where to block the return of the virus.

Conficker is a very sophisticated worm that took advantage of a security hole mentioned in this Microsoft bulletin. The hole affected all 32-bit and 64-bit Windows operating systems, even those with the latest service packs. The hole allowed the virus to infect the computer without any user interaction via the Internet, local network, or USB thumbdrives. Once infected, it stops the computer's security services and Windows update service, and disables tools and software designed to remove it. The worm also allows the creator to remotely install other malicious codes on the infected computer.

Consequently, the worm is programed to update itself from domains it randomly generates. By April 1, the amount of domains the worm generates and infects to find updates could grow to 50,000 a day. The owner of the virus only needs to use one of these domains to host the update. This makes it virtually impossible for authorities to track the source of the update.

Microsoft and Conficker Cabal, a Microsoft-led ad hoc partnership created to fight against the Conficker worm, have been able to contain about 13 percent of these domain names, a number far from reassuring.

According to Quang Tu Nguyen, CEO of BKIS, there's also a chance that the worm might never return if the owner of the worm, for one reason or another, decides not to continue updating it or fails to do so. This is unlikely, however. Quang also suggests that the next outbreak of the virus might not necessarily be on April 1, as is widely speculated, but rather on any day. The firm does believe that the worm would likely seek to update itself on the April 1.

While this seems worrisome, the update of the virus will only take place on computers that have already been infected with one of Conficker's variants and are connected to the Internet. Currently, the number of infected systems is estimated to be around 10 million worldwide.

Fortunately, it's relatively easy to determine whether your computer is infected. Vu Ngoc Son, manager of BKIS' research center, provided a simple way for you to find out if your computer has the virus.

First, make sure your computer is connected to the Internet by going to a Web site such as Google or CNET. Then, if your computer can also successfully go to the Web sites of Microsoft and known security companies, such as Symantec, McAfee, TrendMicro, Sophos, Panda, and you can also run Windows Update successfully, then your computer is clear from Conficker.

On the other hand, if the computer fails to do any of those, it's likely that it has already been affected. In this case, try to follow these instructions to remove it, or use BKIS' antivirus software that can be downloaded for free. As a last resort, you can also back up your data and install Windows from scratch, then immediately run Windows Update to install the latest security patches.

Note that even when your computer is currently clean, it doesn't mean you won't get infected. This would depend on what the next update of the worm does. A good rule of thumb is to make sure you keep protection software on your computer updated and keep the system current with Microsoft Update. There is a ton of free and effective antivirus software out there that you can find at Download.com.

As the current work being undertaken against the Conficker worm is mostly damage control, the best way to decrease the possibility of another outbreak is for everybody to make sure their computers are free of the virus and updated to Microsoft's latest patch.

Related stories:

Latest Conficker worm gets nastier

FAQ: Conficker time bomb ticks, but don't expect boom

About the author

CNET editor Dong Ngo has been involved with technology since 2000, starting with testing gadgets and writing code for CNET Labs' benchmarks. He now manages CNET San Francisco Labs, reviews networking and storage products, and also writes about other topics from online security to new gadgets and how technology impacts the life of people around the world.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

CNET's giving away a 3D printer

Enter for a chance to win* the MakerBot Replicator 3D Printer and all the supplies you need to get started.