Conficker Worm Removal

March 31, 2009
S.Hogan

UPDATE 4/10/2009: Reports are coming in identifying SpywareProtect2009 as being another of the specific scareware tactics being used after Conficker’s latest update. The victim receives a warning and is prompted to purchase the removal tool @$49.99, then the download streams in from the Ukraine. Do not under any circumstances follow instructions from one of these prompts.

Making its first appearance in late October of 2008, the Conficker worm is due to morph from its current developmental stage and sprout wings on April Fools Day 2009. Is it a big deal? Big enough for Microsoft to put a bounty on the head of this
outlaw and it’s creator, to the tune of $250,000.00. Big enough for the Department of Homeland Security to release an announcement and provide a removal tool for it’s federal, local, and state governments and commercial vendors.

This worm is considered extremely dangerous and has already infected between 9 million and 15 million systems. Known to save a copy of its .dll files to random files in the Windows System folder, it then loads each time you boot Windows.

Once infected it can disable system devices, reset and remove restore points, and stop automatic updates. This is in addition to stopping Windows security, Windows Defender and Error Reporting. This worm possesses the latest technology to help spread its destruction and avoid detection and removal. On April 1st. this nasty worm will emerge and return to it’s creator for even more instructions.

All of this leads to a sluggish and unresponsive system that prevents the user from navigating to any website that offers useful help. That’s right, trying to access sites like PC Pitstop, Avast, Malwarebytes, is almost impossible after being infected.

I suggest that everyone who reads this go to Microsoft Updates and be sure you have all the latest security updates. Every neighbor within walking distance has asked for help removing the first wave of this insidious threat. Teachers and students alike have been ringing my doorbell with laptops in tow. I’m curious to see what happens when the April 1st emergence date arrives. Will the seemingly cleaned systems spring forth with the mutated worm? It won’t be long before we know.

What do do? First install all Microsoft security updates. Then in an effort to beat the bug to the punch, make sure your antivirus definitions are up-to-date. If you haven’t done so already download the free Malwarebytes or Avast trial in case you do become infected. I can speak first hand to the issue of being able to navigate to helpful sites. Once infected it’s a must to get help quickly. Be aware that you need to download and run while in SafeMode with Networking , then again with System Restore turned off. Just don’t forget to turn it back on and set a restore point when done. With Avast you will be prompted to check the system memory and also the boot sector on reboot. Be sure to do both as they are definitely known hiding places.

Known As

Conficker

win32 Conficker

Win32 Downup

ConfickerA

Net Worm Kido

Affected Systems

Windows 2000

Windows XP

Windows Vista

Windows Server 2003

Windows Server 2008 (beta thru RC)