Thread: SA09-088A: Conficker Worm Targets Microsoft Windows Systems

National Cyber Alert System
Cyber Security Alert SA09-088A

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: March 30, 2009
Source: US-CERT

Systems Affected

• Microsoft Windows

Overview

US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.

Solution

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:

Symantec:

http://www.symantec.com/business/sec...011316-0247-99

Microsoft:

http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/com...conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.



US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch (see http://www.microsoft.com/technet/sec.../MS08-067.mspx), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.

Description

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

• http://www.symantec.com/norton/theme...conficker_worm
• http://www.microsoft.com/protect/com...conficker.mspx
• http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

References

• Microsoft Windows Malicious Software Removal Tool - <http://www.microsoft.com/downloads/d...3-75B8EB148356>
• Microsoft Updates Website - <http://update.microsoft.com/microsoftupdate/>
• US-CERT Technical Cyber Security Alert TA09-088A - <http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
• Virus alert about the Win32/Conficker.B worm - <http://support.microsoft.com/kb/962007>
• The Conficker Worm - <http://www.symantec.com/norton/theme...conficker_worm>
• W32/Conficker.worm - <http://us.mcafee.com/root/campaign.asp?cid=54857>
• Microsoft Automatic Updates - <http://www.microsoft.com/windows/dow...ticupdate.mspx>