Archived Content

In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
Alert

Conficker Worm Targets Microsoft Windows Systems

Last Revised
Alert Code
TA09-088A

Systems Affected

  • Microsoft Windows

Overview

US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.

Researchers have discovered a new variant of the Conficker Worm on April 9, 2009.  This variant updates earlier infections via its peer to peer (P2P) network as well as resuming scan-and-infect activity against unpatched systems. Public reporting indicates that this variant attempts to download additional malicious code onto victim systems, possibly including copies of the Waledac Trojan, a spam-oriented malicious application which has previously propagated only via bogus email messages containing malicious links.

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers.  The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection.  The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them.  If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

Impact

A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system.

Solution

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors.  Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:Symantec:http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99Microsoft:http://support.microsoft.com/kb/962007http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspxMicrosoft PC Safety hotline at 1-866-PCSAFETY, for assistance.US-CERT encourages users to take the following preventative measures to help prevent a Conficker/Downadup infection:

  • Ensure all systems have the MS08-067 patch.
  • Disable AutoRun functionality. See US-CERT Technical Cyber Security Alert TA09-020A.
  • Maintain up-to-date antivirus software.
  • Do not follow unsolicited links and do not open unsolicited email messages.
  • Use caution when visiting untrusted websites.
  • Use caution when downloading and installing applications.
  • Obtain software applications and updates directly from the vendor's website.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks. 

References

Revisions

March 29, 2009: Initial release|March 30, 2009: Updated|March 30, 2009: Updated|April 09, 2009: Updated