According to security researchers, Conficker worm is managing to still infect systems at a rapid rate which includes systems in Fortune 1000 companies. Researchers at Symantec have said Conficker is infected about 50,000 new PC’s each day. Systems located in the U.S., India and Brazil have been hit the hardest which was confirmed in the same report from researchers at Symantec.

The hype that circulated Conficker worm over two months go, has died down and is almost non-existent. The fact of the matter is, Conficker is still a viable threat and remains to be very active.

Conficker, Downadup or Kido, first started spreading in late 2008 where it took advantage of the MS087-067 vulnerability within the Microsoft Windows operating system. Since then, Conficker has evolved into several other variants including Conficker.B, Conficker.C and even Conficker.E. All versions combined, have managed to infect millions of computers. A good portion of the millions remain to be infected.

Many companies have spent millions of dollars to prevent infections such as Conficker over the course of several years. Even after the preventative measures were put in place, many systems were still infected with Conficker since it’s conception. Conficker is a significant botnet. As you may know with a botnet infection, the creators have a certain degree of control over the infected computers. That means the compromised systems can be instructed to carry out malicious actions at any time.

What should be done in the mean-time about Conficker?

Actions need to be taken to ramp-up prevention and removal of the Conficker infection before a viable attack is initiated on the infected systems. Security researchers have continued to warn companies and network administrator groups to take the necessary precautions in lue of Conficker currently not being in the headlines of the news media. If Conficker continues to infect upwards of 50,000 computers a day, just think of the ramifications of an orchestrated attack using the massive botnet formed by all of the compromised PC’s. This could be one of the biggest attacks that may leave networks infrastructures crippled for months.

Is it possible that the attackers or creators of Conficker purposely waited for the “calm after the storm” to initiate their ultimate attack? Do you think we will see a serious attack conducted by Conficker infected machines in the near future?

The Conficker worm has come back alive and starting to update through peer-to-peer between infected computers dropping unknown files or programs. The software that is being dropped appears to be a .sys component hiding behind a rootkit. As you may already know with rootkits it could be software that is developed to hid the fact that a system has been compromised.

Because Conficker is already encrypted to the point where security analyses are not able to figure out all of the details in pinpointing Conficker’s next moves, it is difficult to be 100% sure of what Conficker is currently doing as it contacts DNS names.

What we do know about Conficker is that during this stage of reactivating or awakening, it has attempted to connect to popular sites such as AOL.com, eBay.com, MSN.com, CNN.com and MySpace.com for conducting a test to see if the infected computer has internet access or not.

On Trendmicro’s blog it is stated that Conficker will perform the following functions:

1. May 3, 2009, it will stop running.
2. Runs in random file name and random service name.
3. Deletes this dropped component afterwards.
4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs.
5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request.
6. Connects to the following sites:
   aol.com
   cnn.com
   ebay.com
   msn.com
   Myspace.com

We know a lot more about Conficker.C than we did before April 1st. Conficker.C still remains to be a mystery when it comes to predicting the damages that it will cause. However, you can check your system to see if you are infected with Conficker or other variants of Conficker including Conficker.C., by simply attempting to navigate to security websites or Microsoft.com. If you cannot view security websites or Microsoft.com then you may have the Conficker worm on your computer.

Do you think Conficker.C will be the one of the word computer infections this year? Are you taking precautionary measures to protect your system from the Conficker Worm by applying MS08-067 update from Microsoft.com?

Download the Free Conficker removal tool!

A worm, which is now about 4 years old, called Neeris worm, is copying Conficker’s attack strategies which could potentially infect millions of computers. Not much is known about the Neeris Worm, which dates back to May 2005. Neeris Worm is exploiting the same MS08-067 vulnerability that Microsoft patched back in October 2008 at the time of Conficker emerging into the wild.

Conficker used the MS08-067 vulnerability to infect computers and it was a very effective method as it was able to infect 12 million or more computers around the world and giving everyone a big scare especially from the Conficker.C variant. The Conficker.C variant proved to be not as effected as many feared before the date of April 1st which marked the day that it would start contacting its controllers.

In what other way is Neeris simular to Conficker Worm?

The Neeris Worm is now updated using the same methods of Conficker to spread such as using the autorun.inf file where it is able to worm its way onto and from the root directory of a USB drive or other USB storage based devices. Basically this process spreads the infection onto a system silently when it is connected to a computer that is not infected.

Because Neeirs worm, from the research of many security firms, has many of the same characteristics of Conficker, it is believed that the makers of Conficker and Neeirs have joined forces. Neeirs starting showing up on the radar screen again with the new infection methods as early as March 31st and into April 1st. Is this a coincidence that it coincides with the April 1st date that Conficker was supposed to start performing malicious actions?

To add to the mystery of Neeirs worm is the fact that it is not downloaded by any Conficker variant and no proof that it is actually related to Conficker.C’s April 1 activation. Also, Neeris Worm, being 4 years old now, was never added or fingerprinted to be a parasite detected by Microsoft’s Malicious Software Removal Tool. Why did Microsoft overlook this worm? Is it possible that the Neeirs worm is yet another scare tactic just like Conficker.C’s and it will not causing any harm? This is very possible but it is still wise to apply the MS08-067 vulnerability patch to your system to prevent infection from the Neeirs worm and Conficker Worm variants.

Do you fear that we have not seen the last of Conficker Worm or its methods for infecting computers? Do you think that a worm such as Neeirs will emerge as a serious threat finishing what Conficker started?

As you may have remembered, Conficker Worm has been a serious epidemic ever since it affected millions of computers during the last few months. The newest variant, Conficker.C, is expected to start performing malicious actions on April 1st but researchers do not know what exactly will take place.

Currently one thing that has been determined and verified about Conficker.C is that it is hard-coded with the date of April 1st, April Fool’s day. Security researchers expect that April Fool’s day will be more than just a hoax when the Conficker.C worm starts to contact its controllers, which will give the worm instructions to carry out on infected computers around the world.

The original Conficker Worm and other previous variations such as Conficker B++, also known as Downadup or Kido, built a botnet mostly through the exploitation of the MS08-067 vulnerability in Windows. Since then Conficker has been upgraded to deviate past many roadblocks put in place to limit the spread of Conficker. Conficker.C adds these defensive measures so that it protects itself from detection and removal eventually affecting even more computers.

What else do we know about Conficker.C?

Conficker.C disables Windows Automatic Updates and the Windows Security Center. Other variants of Conficker, Conficker.A and Conficker.B, have been dissected and understood to the point where we know what malicious actions it performs. Many security firms are able to provide tools to effectively remove all variants of Conficker including Conficker.C because of the knowledge gained from Conficker.A and Conficker.B during the time that millions of computers were infected with this malevolent worm. Conficker.C is also known to detect and kill SysInternals’ Process Explorer program and other search-and-destory programs such as SysClean. Knowing this has may prompt many computer users and experts to be certain that their security software is actively working.

On April 1st, Conficker.C is expected to contact about 50,000 domains and then start downloading either particular instructions or malicious files. It remains to be a mystery as to what the bots will do on this day. Conficker.C may have been able to spread by avoiding the DNS actions put in place to limit or stop the spread of Conficker.A and Conficker.B.

What are people doing now to prepare for April 1st when Conficker.C starts its malicious actions?

Many security firms are advising computer users to keep all software up-to-date including applying all patches and security updates for Windows from Microsoft. In addition, computer users are asked that they make sure that their security software is up-to-date and properly working. Because Conficker is known to disable security software or certain software updates, it may be best to actually make sure that your software is operating and not inactive.

Conficker.C is by far one of the most advanced computer malware infections mainly because no one is really able to crack it yet. Security firms are still clueless as to what Conficker.C will do and this alone makes Conficker.C a potentially dangerous worm that should not be taken lightly by anyone especially when April Fool’s day rolls around.

What are your plans for April 1st – April Fool’s Day? Will you be reading the latest information about Conficker.C or do you plan on sharing an April Fool’s Day joke about your computer crashing because of Conficker? It may not be that funny if that really does happen.

It is pretty serious when a virus infection has the ability to penetrate a military network and then ground an Air Force fleet. That is pretty much what happened to the French Air Force lately when the Conficker worm was used to penetrate the French military networks which then grounded the French Air Force.

This instance of Conficker may be a laughing matter for some but this is serious business considering that a military force was unable to function as normal due to Conficker causing serious havoc.

It just goes to show that the Conficker Worm infection, or Downadup, has literally spread to millions and is actually affecting many networks around the world. Now researchers estimate 10.5 million computers are infected with Conficker. Even still, a new variant of the Conficker worm was recently discovered dubbed Conficker B++.

Conficker B++ is a new version of the well known Conficker worm infection that seems to be very similar in nature but has new techniques for downloading software giving its creators a new level of flexibility for what they do with the infected machines. If you are not familiar with Conficker then you must known that it is known to basically turn infected computers into zombies were they are under the control of the hackers that originate the attack. In many cases the compromised systems are programmed to send spam, log keystrokes or even launch DoS (denial of service) attacks.

Unfortunately it may be expected to see Conficker B++ spread on a mass scale just like the original Conficker worm or Downadup infection.

Security researchers and news publications have deemed the Conficker Worm “a new digital plaque” and that is just what it is if you consider the fact that is has infected almost 10 million computers worldwide. There is still speculation as to who may have programmed this infection and what may take place with any newer versions in the future.

We have laid out several details about the Conficker worm including a link to a removal tool that helps you automatically remove the Conficker Worm from your computer.

Removal of Conficker Worm

Conficker worm can be successfully removed from a Windows system. The free Conficker Removal Tool listed below is recommended so that all directory locations of the worm can be identified and then safely removed from the affected system.

Free Conficker Removal Tool (Recommended)

Download Free Conficker Removal Tool.

• Press the “Proceed” button in the program to start the first step on removing Conficker.
• Continue the step-by-step instructions until you’ve successfully removed the Conficker Worm.

Conficker Worm Aliases

Conficker, Conficker Worm, Win32/Conficker, Win32/Conficker.A, Win32/Conficker.AA,, Downadup, W32.Downadup.

Type of Computer Infection

Conficker had been classified as a Worm that exploits the MS08-067 vulnerability so that it may spread.

Affected Computers

Conficker is known to affect personal computers and network systems running the Windows operating system. Versions of the Windows operating system affected include Windows 2000, Windows NT, Windows XP, Windows Server 2003 and Windows Vista.

Conficker Worm Symptoms

Conficker worm may drop copies of itself onto the following files:

%Temp%\[Random].dll
%System%\[Random].tmp
%Temp%\[Random].tmp
%Program Files%\Internet Explorer\[Random].dll
%Program Files%\Movie Maker\[Random].dll
%All Users Application Data%\[Random].dll

In addition to affecting the files above, Conficker may perform the following malicious actions:

• Block access to security related web sites.
• Block access to other domains related to Conficker repair or removal information such as certain Microsoft pages.
• Create additional autorun.inf files.
• Create scheduled tasks.
• Create registry keys in specific files and registry keys with empty permissions.
• Perform a network portscan on port 445.
• Disable security services that may be running on the infected system.

The following registry entries may be modified by the Conficker infection:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Method of Infection

The Conficker worm creates a copy of itself in a variable location in the %System% directory for Windows. The default installation directory for Conficker for different versions Windows are as follows:

• Windows NT and Windows 2000 – C:\Winnt\System32
• Windows 95, 95, ME – C:\Windows\System
• Windows XP and Windows Vista – C:\Windows\System32

How does Conficker Spread?

Conficker exploits the Microsoft server service vulnerability MS08-067 which was first reported back in October of 2008. The patch applied by Microsoft in October 2008 does not eliminate the threat of the current Conficker worm infection. Conficker is also known to be spread through USB flash drives or over networked systems.

Conficker Worm Payload

Conficker has the ability to download and execute arbitrary files. After Decebember 1st, 2008, Conficker connects to the domain trafficconverter.biz to download and execute a malicious file from the location http://trafficconverter.biz//loadadv.exe. The infection attempts to access certain domain names listed below. [source: ca.com]

ahayw.info
ajcminmqpeu.com
anosb.biz
aqgcurmt.net
bdfbobhuls.com
bjmqxoxbmyq.org
bszeu.info
cfcpreiwtgx.net
cpfgbuwqv.biz
cukpubgb.net
dconkp.com
dpxzsrjhsn.org
dtyqryfi.biz
dviwvh.net
dwmpveim.info
dxnlypjjxp.biz
eaguzulxdr.org
ekrohmqa.info
eoblibwqaig.info
epvzvuah.info
ethogxkt.net
euwqeixq.biz
exxcpxm.net
eyjayqmwxxo.org
ezhvnjlvuk.org
fdzwsak.net
gatkcy.org
gceqy.info
ggcnqnr.info
gkmdbporqmp.biz
gmtgpb.org
guiahproe.info
gxepchol.net
gztql.net
haqrcz.com
hkqrhqev.com
hndrijmu.org
hvxmlcc.org
idahdfyojhz.com
ipbdwihw.info
iquvtfhm.net
irhtphctgn.com
ivouyvxaf.net
jfvyipo.info
jhhwydtk.com
jjbuafs.info
jptplynb.org
jutsyu.com
kagvjo.com
kfzksydrct.org
khvdkdjnrhr.biz
ktivtbse.net
lbori.com
ltxbrwfosrg.net
mhjhb.com
mtqcpiwod.biz
nsjmewgdb.com
ntshnjyxfh.net
nxphotp.com
ocykqj.biz
oenjrcaly.net
oororgpkbp.com
ozlqvnkiq.net
palrw.org
pmotqmf.com
pvuxb.info
qffszcfgyzn.org
qfoilcqp.com
qjafgfp.net
rfduzjbztg.biz
riuvunis.info
rlbidexd.org
rntbogfz.biz
rtkrhxsp.biz
ruolomicarp.org
rxytvgkapvw.biz
safxg.net
sdxkcnzcvhd.org
shbyxebiec.biz
srsoeggve.org
tbkmloh.net
tezjm.net
tilazlfn.com
tqlxquy.org
trxho.org
uiiwmmgr.com
upyuqxpmlxt.net
vdunf.net
vtewiyny.info
vuahzmvf.biz
vweoof.org
wkjhjr.com
xehlydgan.net
xmmzcsqm.biz
xtjejduc.org
xxwoteojg.biz
xytbvkrqhu.info
ybhufq.net
yenhbrt.biz
yfczve.info
ylfamhcgn.net
ylzbgyorfy.org
ysxbkquj.info
ythekdrar.net
yudxsol.org
yzbvrteij.biz
yzpjvpkdtq.biz
zjxuw.org
zpqhr.biz
zuuroktw.biz
zzkjecmf.com

A reference file from http://www.maxmind.com//GeoIP.dat.gz is also accessed by Conficker.

Note: Security researchers have also discovered that Conficker has backdoor functionality which may have aided in the vast spread of Conficker among millions of computers around the world. In this process Conficker starts a HTTP server on the affected computer by opening a random port. This process allows a copy of Conficker to be downloaded by target systems.

We want to know if you have experienced the Conficker Worm. Post your experienced below.