for Users - by Users
You are not logged in.
The Conficker Worm, that has been infecting PCs for around six months through various means including infected memory sticks, is set to trigger tomorrow, April 1st 2009. Note that, in spite of the date, this isn't an April Fool - this message is being posted on March 31st.
No-one (apart from the worm's authors) really knows what will happen when the worm triggers. The following information, from US-CERT (United States Computer Emergency Readiness Team), tells about as much as we know; and more usefully, gives a simple way to check if your PC is infected. If you can't reach any of the links given in Section I of the alert, you may be infected, If you can reach all three, you're probably not - but it's worth double-checking anyway to be sure.
We urge all our users to make sure they are not infected by this worm, and we urge all our users to make sure they remain free from infection by running up-to-date anti-virus software, ensuring their PCs are regularly updated with the latest patches from their OS providers (Microsoft for Windows, Apple for OSX etc.), and ensuring they only access the Internet from behind a firewall, whether it's a hardware-based one or a software one.
Please click here for an update on the situation, 9th April 2009
Subject: US-CERT Technical Cyber Security Alert TA09-088A -- Conficker Worm Targets Microsoft Windows Systems
-----BEGIN PGP SIGNED MESSAGE-----
National Cyber Alert System
Technical Cyber Security Alert TA09-088A
Conficker Worm Targets Microsoft Windows Systems
Original release date: March 29, 2009
Last revised: March 30, 2009
* Microsoft Windows
US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a
Microsoft Windows system from a thumb drive, a network share, or
directly across a corporate network, if the network servers are not
patched with the MS08-067 patch from Microsoft.
Home users can apply a simple test for the presence of a
Conficker/Downadup infection on their home computers. The presence
of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are
unable to connect to the websites, by downloading detection/removal
tools available free from those sites:
* http://www.symantec.com/norton/theme.js … icker_worm
* http://www.microsoft.com/protect/comput … icker.mspx
If a user is unable to reach any of these websites, it may indicate
a Conficker/Downadup infection. The most recent variant of
Conficker/Downadup interferes with queries for these sites,
preventing a user from visiting them. If a Conficker/Downadup
infection is suspected, the system or computer should be removed
from the network or unplugged from the Internet - in the case for
A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.
Instructions, support and more information on how to manually
remove a Conficker/Downadup infection from a system have been
published by major security vendors. Please see below for a few of
those sites. Each of these vendors offers free tools that can
verify the presence of a Conficker/Downadup infection and remove
http://www.symantec.com/business/securi … 16-0247-99
http://www.microsoft.com/protect/comput … icker.mspx
Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.
US-CERT encourages users to prevent a Conficker/Downadup infection by
ensuring all systems have the MS08-067 patch (see
http://www.microsoft.com/technet/securi … 8-067.mspx),
disabling AutoRun functionality (see
maintaining up-to-date anti-virus software.
* Microsoft Windows Does Not Disable AutoRun Properly -
* Virus alert about the Win32/Conficker.B worm -
* Microsoft Security Bulletin MS08-067 - Critical -
* MS08-067: Vulnerability in Server service could allow remote code
* The Conficker Worm -
* W32/Conficker.worm -
* W32.Downadup Removal Tool -
The most recent version of this document can be found at:
Feedback can be directed to US-CERT Technical Staff. Please send
email to <firstname.lastname@example.org> with "TA09-088A Feedback VU#827267" in
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
Produced 2009 by US-CERT, a government organization.
March 29, 2009: Initial release
March 30, 2009: Included additional details
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----
Note that the PGP signature may not verify correctly on the message as displayed in your browser.
Last edited by Jellyroll (09-04-2009 12:03:39)
I thought this was patched back in October? Not that some places won't be hit, like the dimwit's at the last company I worked for who went six month's without AV updates and system patches because the losers in the IT department wouldn't admit they hadn't a clue what they were doing.
Make sure your auto updates are on and the same for your AV package then wait and see what happens.
In spite of protection being in place since before the worm was first discovered last November, it is estimated that there are around ten million infected PCs - infected because of weak & easily-guessed passwords, failure to install patches, failure to run up-to-date anti-virus and failure to operate behind firewalls.
Tomorrow may prove interesting. I just hope that people reading this will be interested observers, not unwitting participants.
True. I always say that internet security for your PC is best viewed with a generous dose of paranoia, they are out to get you and you can't really rely on one solution. I force myself to make awkward passwords even though by nature I'm as prone to being lazy as anyone else.
What I'm really worried about is the inevitable slew of calls I'll get from friends or relatives tomorrow if it really does kick off something major. I swear one of these day's I'll replace the little security lecture with a permanent marker pen and their monitors.
I got an email this evening offering a link to find out more about the conficker virus and and antivirus code to use.....needless to say it is now in my junk mail box
Update 9th April 2009
Conficker has started the next phase of its operation, downloading malware onto infected PCs via its own P2P network. The newly-downloaded software is encrypted, so its purpose is as yet unclear.
Trend Micro blog post on the subject
http://www.confickerworkinggroup.org/in … chart.html is a web page to help identify if you are infected -- but be aware that it is not foolproof, and won't help if you are running through a non-transparent proxy (i.e. one entered manually or automatically into your browser's configuration), as it identifies the worm's presence by its effect on DNS. A manual proxy request won't use DNS, but a request through a transparent proxy will.
I haven't managed to access it either