Beware of Conficker Worm - Do Windows Update If You Have Not
The Conficker worm, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system which was first detected in November 2008. The worm has infected thousands of business and home networks. The worm exploits a known vulnerability in Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows 7 Beta.
Microsoft has released a critical security update "MS08-067" in October 2008 which can protect against the Conficker worm. However, many Windows PCs are remained unpatched and they are at risk of being infected (the symptoms are described in section 3). Also, some other worms infect computers through similar vulnerabilities, weak passwords and removable storage devices. Thus, it is important to apply critical updates when they become available, usually in the middle of a month.
To prevent infection by the Conficker worm or other malicious software, you should take the following preventive measures:
- Perform Windows Critical Update whenever new Critical Update is available.
- Install anti-virus software on your PC and update daily its virus definition.
- Install anti-spyware software on your PC. (Windows Defender is native in Windows Vista and is freely available for XP.)
- Turn ON your personal firewall software. (Windows Firewall is a built-in firewall in Windows Vista and XP.)
For more information about the above preventive measures, please refer to our FAQ on Computer Viruses at http://www.its.hku.hk/faq/virus.htm#protect_answer.
For more information about the Conficker worm, please refer to the following websites:
- Technical Cyber Security Alert: Conficker Worm Targets Microsoft Windows Systems -
- Microsoft: Protect yourself from the Conficker computer worm -
In addition to applying Windows Critical Updates, installing anti-virus and anti-spyware, and enabling firewall, you are advised to do the following:
- Disable AutoRun functionality of removable storage devices, e.g. USB devices, to prevent such an infected device will automatically infect the PC when it is connected. The steps to do so are described in
- Disable file and print sharing. The steps to do so are described in http://support.microsoft.com/kb/199346
The Conficker worm may be present if a PC is unable to access websites of security solutions, or unable to download certain security products, such as malicious software detection/removal tools.
According to a Conficker Work Group website, the details of the effect of the Conficker worm are as follows:
- Account lock-out policies being reset automatically.
- Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender (an anti-spyware program), and Error Reporting Services are automatically disabled.
- Domain controllers respond slowly to client requests.
- System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
- On websites related to anti-virus software, the updates cannot be accessed.
- Launches a brute force attack against administrator passwords to help it spread.
- Scanning TCP Port 445.
- Multicast UPnP requests.
- High-port TCP and UDP peer-to-peer activity/
- Abnormal DNS lookup activity.