Spyware, Viruses, & Security forum

General discussion

How to remove the Downadup and Conficker worm

by Marianna Schmudlach / January 24, 2009 12:44 AM PST

(Uninstall Instructions)
Thanks to Grinler for the instructions !

What this programs does:

The Downadup, or Conficker, infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability, but also includes the ability to infect other computers via network shares and removable media. Not since the Sasser and MSBlaster worms have we seen such a widespread infection as we are seeing with the Downadup worm. In fact, according to anti-virus vendor, F-Secure, the Downadup worm has infected over 8.9 million infected computers. Microsoft has addressed the problem by releasing a patch to fix the Windows vulnerability, but there are still many computers that do not have this patch installed, and thus the worm has been able to propagate throughout the world.

When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder as a random named DLL file. If it has problems copying itself to the System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders. It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer. The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.

MORE: http://www.bleepingcomputer.com/malware-removal/remove-downadup-conficker

Discussion is locked
You are posting a reply to: How to remove the Downadup and Conficker worm
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: How to remove the Downadup and Conficker worm
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
by asgold / February 28, 2009 4:20 PM PST

thanks for the update and for link, it worked for me and i got rid of that worm Happy

Collapse -
(NT) Super _ thanks for letting us know :)
by Marianna Schmudlach / February 28, 2009 11:42 PM PST
In reply to: thx
Collapse -
Conficker modified for more mayhem
by Marianna Schmudlach / March 9, 2009 4:37 AM PDT

9 March 2009

According to Symantec the Conficker worm has been modified to cause more damage. Previously the worm had only contacted about 250 domains a day, to look for commands and download new code. Symantec report that there is a new variant of Conficker using an algorithm which will contact up to 50,000 domains a day. The new domain generation algorithm also uses one of a 116 possible domain suffixes.

This is expected to make life harder for anti-virus specialists, ICANN and OpenDNS to block the domains that Conficker will use and makes it much more likely that Conficker will be generating addresses that point to legitimate sites. Although Conficker generates the domain name from a random combination of letters and should be creating domains that point to largely unused addresses, it is possible to find companies who have domains who's names match the generated addresses. For example, the previous generation of the worm is expected to call wnsux.com on March 13th, a domain owned by Southwest Airlines.

More: http://www.h-online.com/security/Conficker-modified-for-more-mayhem--/news/112802

Collapse -
Romanians find cure for conficker
by Marianna Schmudlach / March 14, 2009 9:27 AM PDT
Collapse -
(NT) I hope it covers the latest Conficker virus as well :)
by darkdestiny7 / March 16, 2009 12:25 PM PDT
Collapse -
Sophos now has a conficker removal tool also.
by roddy32 / March 18, 2009 4:40 AM PDT
Collapse -
Interesting Conficker C analysis published
by Marianna Schmudlach / March 19, 2009 2:43 PM PDT

The folks over at SRI have published an interesting additional information on Conficker.C. Worth reading. Link here.

In this addendum report, we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers. In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis. Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C.

Alex Eckelberry


Collapse -
Hype, April fool's day, and the Conficker worm
by Marianna Schmudlach / March 27, 2009 1:34 AM PDT

"Millions of computers around the world could go into meltdown on April 1 because of a deadly virus."

Those are the words from a report in today's soaraway Sun, a British tabloid newspaper.

With that kind of talk in a national newspaper (and there are plenty of other examples in the media at the moment) you could understand why some companies and home users might be worried about what might happen next Wednesday.

Well, as I've already mentioned on the blog, no-one knows what Conficker might or might not do on April 1st.

It's quite possible that Conficker will not do anything significant on April 1st. Certainly it won't be "deadly" and your computers won't melt. Happy

More: http://www.sophos.com/blogs/gc/

Collapse -
Websense - Update on Conficker.C
by Marianna Schmudlach / March 30, 2009 8:23 AM PDT


Threat Type: Malicious Web Site / Malicious Code

April's approach has created a lot of chatter about Conficker, a worm largely considered to be one of the most widespread infections in recent years. Some estimates put peak infection at over 10,000,000 hosts.

A large effort has been made by the white-hat community and the Conficker Cabal Group to mitigate Conficker infections, and with success. The current estimate indicates that the number of infected hosts has fallen to 1 to 2 million, which is still a very large number when factored against recent bot counts.

There is a good deal of speculation about what's going to happen on April 1, a special date that is hard coded into the latest variant of the worm's binary file. The wider Internet community is fortunate in that some very good research has been conducted into the different variants of the worm: A, B, B++ & C.

More: http://securitylabs.websense.com/content/Alerts/3329.aspx

Collapse -
Busted! Conficker's Tell-Tale Heart Uncovered
by Grif Thomas Forum moderator / March 31, 2009 5:03 AM PDT

Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines that is easy to detect using a variety of off-the-shelf network scanners.

The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm. As of mid-Monday, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap, McAfee's Foundstone Enterprise and Nessus, made by Tenable Network Security.


Hope this helps.


Collapse -
Please, the world is NOT ending on April 1
by Marianna Schmudlach / March 31, 2009 7:56 AM PDT

Some people are getting hysterical about Conficker?s deadly payload on April 1.


Randy Abrams at ESET does a nice job of explaining the situation:

Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.

So, you still want to protect against Conficker? Here is what to do. Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you?re antivirus product is up to date. Your antivirus product should be tested by Virus Bulletin (www.virusbtn.com) and/or certified by ICSA Labs, or have West Coast Labs Checkmark certification. Send me an email at askeset@eset.com if you need help determining this. Exercise caution in what websites you visit and never open attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment and that they also know what it is. These instructions are not specifically for Conficker, this is simply part of how you protect against all of the threats out there.

More: http://sunbeltblog.blogspot.com/index.html

Collapse -
Conficker World Maps
by Marianna Schmudlach / April 2, 2009 12:19 AM PDT

Thursday, April 2, 2009

Where in the world are the Conficker-infected machines today?

Shadowserver and Conficker Working Group have the maps:


Collapse -
Post April 1st Conficker Q&A
by Marianna Schmudlach / April 2, 2009 9:24 AM PDT

Thursday, April 2, 2009

As we posted Conficker Q&A prior to April 1st it wouldn't be right if we didn't do one after the event.

Q: First off, how do I know if I'm infected?
A: Joe Stewart has created a very simple test that's available at the Conficker Working Group's site. Click here to try it out. If it says you're infected you can find a bunch of removals tools on the same site, including F-Secure's.

More: http://www.f-secure.com/weblog/

Collapse -
Simple Conficker test for end users
by Marianna Schmudlach / April 3, 2009 1:04 AM PDT

3 April 2009

Joe Stewart of SecureWorks has developed a simple test which reveals at a glance whether or not a system has been infected with one of the wide-spread versions of Conficker. The H now offers our own version of this test page.

Once a Conficker infection is suspected on a system, the anti-virus software installed on that system can no longer be trusted. The malware terminates a number of security mechanisms and prevents the start of certain programs. The new test is based on the fact that Conficker blocks access to various security and anti-virus pages. It includes a page that shows images of normal and of blocked sites. If only the images of the AV vendors are missing, there is a high likelihood that the computer has been infected with Conficker ? or with another type of malware that behaves in a similar way.

More: http://www.h-online.com/security/Simple-Conficker-test-for-end-users--/news/112995

Collapse -
The H Security Conficker information site
by Marianna Schmudlach / April 6, 2009 2:01 AM PDT
Collapse -
Conficker botnet stirs to distribute update payload
by Marianna Schmudlach / April 9, 2009 1:27 AM PDT

It's alive!

By John Leyden

9th April 2009

The Conficker superworm is stirring, with the spread of a new variant that spreads across P2P and drops a payload. It is thought to update machines infected by earlier strains of the worm.

Conficker-E (the latest variant) offers potential clues on the origins of the worm, because of possible links to other malware. Trend Micro reports that the new Downadup/Conficker variant is talking to servers associated with the Waledac family of malware, in order to download further unwanted items.

Waledec, in turn, is suspected as the latest item of malware from the gang behind the Storm botnet, sparking speculation that all three strains of botnet client are the work of the same cybercriminal gang.

More: http://www.theregister.co.uk/2009/04/09/conficker_botnet_update/

Collapse -
Experts warn of imminent Conficker attack
by Marianna Schmudlach / April 9, 2009 1:38 AM PDT

New variant begins to stir over peer-to-peer network of infected machines

Phil Muncaster

vnunet.com, 09 Apr 2009

Security experts have uncovered new Conficker activity which could indicate that the hackers behind the worm are finally gearing up for an assault.

Researchers at Trend Micro discovered a new variant of Downad/Conficker last night, called Worm_Downad.E, which is spreading over the peer-to-peer network of infected PCs created by the previous version.

This new variant sheds some interesting light on the origins of the worm, according to the researchers, and its potential link to the Waledac malware family which is responsible for one of the most active spam botnets around.

More: http://www.vnunet.com/vnunet/news/2240194/conficker-activity-emerges

Collapse -
W32.Downadup.E?Back to Basics
by Marianna Schmudlach / April 9, 2009 8:46 AM PDT

04-09-2009 01:16 PM
Patrick Fitzgerald Patrick Fitzgerald writes...
Once again we find ourselves sucked into a maelstrom of questions and uncertainty surrounding the threat W32.Downadup, which is now a household name (just in case you haven't heard of it, it?s also known as Conficker). I?m sure that the people working in the security industry can marvel at their loved ones finally taking an interest in their job, which for once has gone past feigned interest and polite smiles. So, what have the little scamps behind W32.Downadup been up to this time?

Yesterday, Brian Ewell wrote about new developments regarding W32.Downadup in his blog entry entitled Downadup + Waledac. That blog mentioned some differences in functionality and put forward a possible association with Waledac. Today?s post will provide some more details about these differences.

We observed W32.Downadup downloading a binary over its peer-to-peer mechanism. The downloaded binary incorporates the spreading mechanisms used by W32.Downadup.A. However, this binary is a new variant and is detected by Symantec products as W32.Downadup.E.

1. It patches ?tcpip.sys? in order to increase the number of concurrent network connections available on the system.
2. The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.
3. This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.
4. This worm has the UPnP capabilities that we saw in previous versions of Downadup. The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks.
5. W32.Downadup.E will remove itself from the system on or after May 3, 2009.

More: https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/262

Collapse -
Conficker still infecting 50,000 PCs per day
by Marianna Schmudlach / May 21, 2009 12:22 AM PDT

By Robert McMillan

May 20, 2009

IDG News Service - The Conficker worm is still infecting systems at a brisk rate and continues to snag computers in Fortune 1000 companies, according to security researchers.

The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post.

Conficker began spreading late last year, taking advantage of a recently patched flaw in Microsoft's Windows operating system to infect entire networks and also using removable storage devices to hop from PC to PC. Security experts say it has now infected millions of computers worldwide, which now comprise the world's biggest botnet network.

More: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133363

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?