Conficker

From Wiki-Security, the free encyclopedia of computer security

Conficker Information
Type:   Worm
Analysis:
 
  Exploits the Windows MS08-067 service vulnerability & spreads across network connections.
Symptoms:
 
  Slow network access, Scheduled tasks being created, denied access to admin shares, & cannot access security websites and services.
Removal:   Download Free Conficker Removal Tool.

Conficker, which is also known as Downadup and Kido, is a worm that spreads by invading your computer by exploiting weaknesses in Windows MS08-067. What makes the Conficker worm particularly malicious is its ability to prevent you from accessing security websites. Conficker replicates itself each time you reboot your PC. Conficker's malignancy lies in its ability to spread its infection to other PC's over you computer network. To combat the Conficker worm, Microsoft released a patch to address the flaw being exploited in Windows. It is well advised that you obtain the Microsoft patch and continue to receive critical updates. You should run a scan to detect the Conficker worm and remove it promptly if infected.

To remove Conficker from your computer, download Free Conficker Removal Tool.


Disclaimer Information
This website, its content or any portion of this website is NOT affiliated with, connected to, or sponsored by Conficker or its creators in any way. This website does not advocate the actions or behavior of Conficker and its creators. Our objective is to provide Internet users with the know-how to detect and remove Conficker and other Internet threats.

The readers of this article should not mistake, confuse or associate this article to be an advertisement or a promotion of Conficker in any way. The content provided on this website is intended for educational or informational purposes and is provided "AS IS" with no warranties, and confers no rights.


Contents

Free Removal of Conficker (Recommended)

Conficker is difficult to detect and remove. Conficker is not likely to be removed through a convenient "uninstall" feature. Conficker, as well as other virus threats, can re-install itself even after it appears to have been removed.

You also run the risk of damaging your computer since you're required to find and delete sensitive files in your system such as DLL files and registry keys. It is recommended you use a good removal tool to remove Conficker on your computer.

Run Free Conficker Removal Tool to successfully remove Conficker files.

Method of Infection

In order to spread across computers, Conficker exploited the MS08-067 Microsoft Windows Server Service vulnerability. Now, Conficker has evolved to spread accross network connections as well as USB memory devices. Once executed, Conficker secretly copies itself by creating a random name to the %Sysdir% folder and changes registry keys to make a randomly-named service. The Conficker creates a http server on the affected computer on a random port (example: http://[EXTERNAL IP ADDRESS OF AFFECTED COMPUTER]:[RANDOM PORT]), then sends this URL as a portion of its payload to remote computers, and if successful the remote computer will connect back to the random URL and download the Conficker worm. Conficker also tries to find the network device registered as the Internet gateway on the network and opens the random port mentioned earlier so it can permit access to the affected computer from external networks.

If you think you may already be infected with Conficker, use this Free Conficker Removal Tool to remove Conficker.

Symptoms

Conficker may cause logons to take longer than normal, deny access to many security websites, slow network access, deny access to admin shares, add an autorun.inf file to recreate itself, and can do this without your knowledge or permission. Another Conficker symptom is to disable the Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services. Therefore, it is strongly recommended to remove all traces of Conficker from your computer.

Remedies and Prevention

Conficker, as well as other Worms, are constantly evolving and becoming more advanced to avoid detection. Conficker along with its variants can install in different locations and even when you try to uninstall it you find they reappear when you reboot your computer.

Install a good anti-virus or anti-spyware software

When there's a large number of traces of malware or worms, for example Conficker, that have infected a computer, the only remedy may be to automatically run a good anti-virus and/or anti-spyware software designed to detect Conficker and other types of worms.

Remove Conficker manually

Another method to remove Conficker is to manually delete Conficker files in your system. Detect and remove the following Conficker files:

DLLs

  • %System%\[RANDOM FILE NAME].dll
  • vhoinp.dll
  • %Temp%\[RANDOM FILE NAME].dll
  • %Program Files%\Internet Explorer\[RANDOM FILE NAME].dll
  • %Program Files%\Movie Maker\[RANDOM FILE NAME].dll
  • %All Users Application Data%\[RANDOM FILE NAME].dll

Other Files

  • %System%\[Random].tmp
  • %Temp%\[Random].tmp

Registry Keys

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "[PATH OF WORM]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%

External links

PC Infected

If you cannot access security websites and services, or network connectivity issues, your computer may be infected with Conficker. Wiki-Security recommends you...

Start Free Conficker Removal Tool.Click here


Remove Conficker
Retrieved from "/wiki/Parasite/Conficker"
Views
Navigation