The “no bull” guide to Conficker

by techtiptom


Originally posted on on 04/02/2009:

From Adrian Kingsley-Hughes, an internationally published technology author who has devoted over a decade to helping users get the most from technology:

Some antivirus companies love to hype malware because it’s a great way to sell security products. While Conficker isn’t new (it’s been around since November last year), the April 1st trigger date gives security firms the opportunity to ratchet up the hype a couple of more notches (and help drive concerned users straight into the hands of cybercriminals). However, it’s important to note that it’s unclear right now as to what will happen come the trigger date. However, what is clear is that you will need to be infected to be at risk of anything happening at all.

It seems that more than half of all Conficker infections are confined to PCs in China, Brazil, Russia, India, and Argentina, so folks in the US and Europe have dodged the bullet … mostly. Given the relatively low number of Conficker infections that I’ve come across, I’d say that the research is spot on.

If you’re running a fully patched system, then you’ve got little to be worried about. If you’re running an antivirus program, then you’ve got a second line of defense. If you’re worried, run a scan with a detection tool (see below). Better to be safe than sorry. Conficker can spread via network shares, leveaging weak passwords, so if you can’t trust the systems you’re connected to, and you know you’re using weak passwords, then your risk of being infected is elevated. Also, Conficker can spread via removable drives by taking advantage of Windows autoplay.

If you’re running a bootleg copy of Windows that’s not patched properly, or you’ve been neglecting to patch up (the security bulletin that’s important here is MS08-067) then there’s a small chance that you could be infected. If you’re worried, run a system scan using one of the following tools:

F-Secure Malware Removal Tool
Microsoft Malicious Software Removal Tool
Sunbelt Software
Symantec FixDownadup.exe

If you’re having trouble accessing the websites of any of the above programs then that could be an indicator that you’re infected because Conficker (specifically Conficker.C) incorporates a domain blocker to prevent infected users from getting help (even accessing Windows Update and Microsoft Update). It’s now important that you use an uninfected PC to download a Conficker removal tool onto a USB drive and clean up the infected PC. Alternatively, you can visit a site run by security firm BitDefender that is, as of the time of writing, not blocked (this site could be added to Conficker’s block list at any time, so there are no guarantees that it will remain open to those who are infected).

After cleaning up the PC, apply the patch and then get on with the rest of your life.

Bottom line … Don’t panic!