Home Conficker Worm Conficker, Downadup, and Kido Worm Infects Millions of Computers Worldwide

Conficker, Downadup, and Kido Worm Infects Millions of Computers Worldwide

Posted: January 27, 2009

According to security researchers, the Conficker Worm has caused a serious worldwide epidemic by infecting close to 10 million computers around the world.

Security researchers and news publications have deemed the Conficker Worm "a new digital plaque" and that is just what it is if you consider the fact that is has infected almost 10 million computers worldwide. There is still speculation as to who may have programmed this infection and what may take place with any newer versions in the future.

We have laid out several details about the Conficker worm including a link to a removal tool that helps you automatically remove the Conficker Worm from your computer.

Removal of Conficker Worm

Conficker worm can be successfully removed from a Windows system. The free Conficker Removal Tool listed below is recommended so that all directory locations of the worm can be identified and then safely removed from the affected system.

Free Conficker Removal Tool (Recommended)


Download Free Conficker Removal Tool.
  • Press the "Proceed" button in the program to start the first step on removing Conficker.
  • Continue the step-by-step instructions until you've successfully removed the Conficker Worm.

Conficker Worm Aliases

Conficker, Conficker Worm, Win32/Conficker, Win32/Conficker.A, Win32/Conficker.AA,, Downadup, W32.Downadup.

Type of Computer Infection

Conficker had been classified as a Worm that exploits the MS08-067 vulnerability so that it may spread.

Affected Computers

Conficker is known to affect personal computers and network systems running the Windows operating system. Versions of the Windows operating system affected include Windows 2000, Windows NT, Windows XP, Windows Server 2003 and Windows Vista.

Conficker Worm Symptoms

Conficker worm may drop copies of itself onto the following files:

%Temp%\[Random].dll
%System%\[Random].tmp
%Temp%\[Random].tmp
%Program Files%\Internet Explorer\[Random].dll
%Program Files%\Movie Maker\[Random].dll
%All Users Application Data%\[Random].dll

In addition to affecting the files above, Conficker may perform the following malicious actions:

  • Block access to security related web sites.
  • Block access to other domains related to Conficker repair or removal information such as certain Microsoft pages.
  • Create additional autorun.inf files.
  • Create scheduled tasks.
  • Create registry keys in specific files and registry keys with empty permissions.
  • Perform a network portscan on port 445.
  • Disable security services that may be running on the infected system.

The following registry entries may be modified by the Conficker infection:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Method of Infection

The Conficker worm creates a copy of itself in a variable location in the %System% directory for Windows. The default installation directory for Conficker for different versions Windows are as follows:

  • Windows NT and Windows 2000 - C:\Winnt\System32
  • Windows 95, 95, ME - C:\Windows\System
  • Windows XP and Windows Vista - C:\Windows\System32

How does Conficker Spread?

Conficker exploits the Microsoft server service vulnerability MS08-067 which was first reported back in October of 2008. The patch applied by Microsoft in October 2008 does not eliminate the threat of the current Conficker worm infection. Conficker is also known to be spread through USB flash drives or over networked systems.

Conficker Worm Payload

Conficker has the ability to download and execute arbitrary files. After Decebember 1st, 2008, Conficker connects to the domain trafficconverter.biz to download and execute a malicious file from the location http://trafficconverter.biz//loadadv.exe. The infection attempts to access certain domain names listed below. [source: ca.com]

ahayw.info
ajcminmqpeu.com
anosb.biz
aqgcurmt.net
bdfbobhuls.com
bjmqxoxbmyq.org
bszeu.info
cfcpreiwtgx.net
cpfgbuwqv.biz
cukpubgb.net
dconkp.com
dpxzsrjhsn.org
dtyqryfi.biz
dviwvh.net
dwmpveim.info
dxnlypjjxp.biz
eaguzulxdr.org
ekrohmqa.info
eoblibwqaig.info
epvzvuah.info
ethogxkt.net
euwqeixq.biz
exxcpxm.net
eyjayqmwxxo.org
ezhvnjlvuk.org
fdzwsak.net
gatkcy.org
gceqy.info
ggcnqnr.info
gkmdbporqmp.biz
gmtgpb.org
guiahproe.info
gxepchol.net
gztql.net
haqrcz.com
hkqrhqev.com
hndrijmu.org
hvxmlcc.org
idahdfyojhz.com
ipbdwihw.info
iquvtfhm.net
irhtphctgn.com
ivouyvxaf.net
jfvyipo.info
jhhwydtk.com
jjbuafs.info
jptplynb.org
jutsyu.com
kagvjo.com
kfzksydrct.org
khvdkdjnrhr.biz
ktivtbse.net
lbori.com
ltxbrwfosrg.net
mhjhb.com
mtqcpiwod.biz
nsjmewgdb.com
ntshnjyxfh.net
nxphotp.com
ocykqj.biz
oenjrcaly.net
oororgpkbp.com
ozlqvnkiq.net
palrw.org
pmotqmf.com
pvuxb.info
qffszcfgyzn.org
qfoilcqp.com
qjafgfp.net
rfduzjbztg.biz
riuvunis.info
rlbidexd.org
rntbogfz.biz
rtkrhxsp.biz
ruolomicarp.org
rxytvgkapvw.biz
safxg.net
sdxkcnzcvhd.org
shbyxebiec.biz
srsoeggve.org
tbkmloh.net
tezjm.net
tilazlfn.com
tqlxquy.org
trxho.org
uiiwmmgr.com
upyuqxpmlxt.net
vdunf.net
vtewiyny.info
vuahzmvf.biz
vweoof.org
wkjhjr.com
xehlydgan.net
xmmzcsqm.biz
xtjejduc.org
xxwoteojg.biz
xytbvkrqhu.info
ybhufq.net
yenhbrt.biz
yfczve.info
ylfamhcgn.net
ylzbgyorfy.org
ysxbkquj.info
ythekdrar.net
yudxsol.org
yzbvrteij.biz
yzpjvpkdtq.biz
zjxuw.org
zpqhr.biz
zuuroktw.biz
zzkjecmf.com

A reference file from http://www.maxmind.com//GeoIP.dat.gz is also accessed by Conficker.

Note: Security researchers have also discovered that Conficker has backdoor functionality which may have aided in the vast spread of Conficker among millions of computers around the world. In this process Conficker starts a HTTP server on the affected computer by opening a random port. This process allows a copy of Conficker to be downloaded by target systems.

We want to know if you have experienced the Conficker Worm. Post your experienced below.

22 Comments

  • mark says:

    the microsoft word keeps on coming back into desktop even if I deleted it so many times. my internet explorer suddenly not working properly my system begins to slow down. it just keeps on overwritting my system. is this a conficker worm if not can you help eliminate this kind of virus. your attention is greatly appreciated.

  • Brigitte Card says:

    The malware my other computer is infected with is : Win PC defender.
    It does not allow me to get onto the internet and I was told it had to go to the repair shop.
    Is there any kind of CD to clear it out of my PC.

  • tom says:

    i was infected by system security 2009 after gong to homevalues.com

  • tom says:

    recently i had avg 8.5 installed and still have a problem with system security 2009 after using conficker. can you help me? before avg 8.5 i had mcafee no problems witch is better? please send me a e-mail answer? i get pop ups
    and cant use avg.

  • Crystal says:

    I have removed personal anti virus from my programs, but now every time I try to go to facebook or myspace it blocks it and I can't get rid of it. Please help me???

  • carol says:

    i can not find winpc antiviris that keeps showing up on my computer and will not allow me to go to other sites , i can not find it on downloaded programs etc. how would i clear it.

  • Alan Hetherington says:

    I cant get rid of Backdoor.tidserve, any ideas?

  • PAULA says:

    PLEAS HELP THAY ARE SENDING PORN OUT TO KID'S

  • Protasius Hardono Hadi says:

    I was informed that my computer is infected by 98 viruses in "tracking cookies", and I do not know much about computers. Please remove all the viruses.
    Thanks

  • Tiziana says:

    The access to my email is always denied, I can't read the post, because I get disconnetted.
    Please help me, thanks.

  • phil says:

    HI BUD I CANT UNINSTALL CYBER SECURITY FROM MY COMPUTER CAN U HELP ME

  • Vincent says:

    For a start, get some decent anti-virus software. The free stuff ain't going to cut it! Heck, Anything up to $40.00 Australian Dollers per year is a pretty cheap insurance. First priority is have protection! I've used Trend for over 8 months and never had a problem with my PC And the updates come in daily and don't interfere with what you're doing. However, I am a PC Bench Technician and I maintain my PC regularly. Keep a log book just for your PC. If it has any unusual problems or behaviours, write it down immediately! That way you can see or reveal an unusual pattern. Lazyness is usually the fault of the problem. If you don't want problems, you must be alert and note down events Without a history you don't know of how or when the problem began. I hope this helps you lot to keep you on your toes?

  • Leanne says:

    I can not use any of the applications to remove the security tool, because security tool blocks all attempts. I can not get to any of my files, or use any of Vista, internet, after severql attempts, no FB, basically my computer and all programs are being held hostage.

    What is my solution?

  • dianne says:

    how can I get rid of those cookies? whenever I run my anti spyware it always appears even if I clean it always

  • gisleida says:

    I can not use any of the applications to remove the security tool, because security tool blocks all attempts. I can not get to any of my files, or use any of Vista, internet, after several attempts, no FB, basically my computer and all programs are being held hostage.I have McAfee but the security tool do not let me open to scan my computer.
    I really need halp!

  • Count says:

    good advice Vincent!, most problems stem from lack of AV in which case yes install av / removal tools, update and scan / run tools in safe mode.
    Or scan the hard disk in or from another pc (phsically or scan over network \\pc\c$ with administrator privilaged login)
    There's pleanty of good virus removal procedures ou there.
    For immediate block virus sending Spam, block port 25 (in router) and log for more imformation.
    Shame some AV programs have not done their job to detect this trojan?

    Hope this helps
    if not backup and rebuild. or go somewhere they can help.
    bye.

  • Robert D, says:

    Unable to run free search . BELIEVE PROBABLE INFECTION WITH antispyware soft platinum. WHAT NEXT TO REMOVE?

  • Robert D, says:

    Spyhunter detection will not run. Blocked by Antispyware Soft Platinum infection?

  • karim says:

    it is a good product

  • t.j.p. says:

    Reply to Robert D: I was once infected with antispyware soft, and it blocks SpyHunter, unless you are in safe mode.

  • HeC says:

    Can absolutely relate to all of the above. Have been battling for a few weeks, it even set up a new system password and locked me down. Good luck, everyone. I think somebody needs a butt kickin'!

  • Patric says:

    Which one is the best Spamware ? I use Norton for my server security but it takes load of memory 🙁 so I want something which takes less memory and as effective as Norton.
    Thanks beforehand for your suggestions.

Loading...