Conficker is a computer worm that originally surfaced in October 2008 and targets the MicrosoftWindows operating system. The worm exploits a previously patched vulnerability in the WindowsServer service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003,Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta.

The worm uses a variety of techniques making it unusually difficult to eradicate. The worm’sauthors, while unknown, are believed to be tracking network operator and law enforcement antimalwareefforts and regularly release new variants to close the worm’s own vulnerabilities. It isestimated that Conficker has more than five million computers now under its control acrossgovernment, business and home computers in more than 200 countries.

To start itself at system boot, the worm saves a copy of its DLL form to a random filename in theWindows system folder, then adds registry keys to have svchost.exe invoke that DLL as aninvisible network service. There are five main variants of the Conficker worm, which are knownas Conficker A, Conficker B, Conficker C, Conficker D and Conficker E. Variants A, B, C and Eexploit a vulnerability in the Server Service on Windows computers, in which an already-infectedsource computer uses a specially-crafted RPC request to force a buffer overflow and executeshellcode on the target computer. On the source computer, the worm runs an HTTP server on aport between 1024 and 10000; the target shellcode connects back to this HTTP server todownload a copy of the worm in DLL form, which it then attaches to svchost.exe. Variants B andlater may attach instead to a running services.exe or Windows Explorer process.

Variants B and C can remotely execute copies of themselves through the ADMIN$ share oncomputers visible over NetBIOS. If the share is password-protected, a dictionary attack isattempted, potentially generating large amounts of network traffic and tripping user accountlockout policies. Variants B and C place a copy of their DLL form on any attached removablemedia (such as USB flash drives), from which they can then infect new hosts through theWindows AutoRun mechanism.

Microsoft has released a removal guide for the worm, and recommends using the current releaseof its Windows Malicious Software Removal Tool to remove the worm, then applying the patch toprevent re-infection. A number of third-party anti-virus software vendors have released detectionupdates to their products and some are able to remove the current iterations of the worm. TheUnited States Computer Emergency Readiness Team (US-CERT) recommends disablingAutoRun to prevent Variant B of the worm from spreading through removable media. US-CERThas also made a network-based tool for detecting Conficker-infected hosts available to federaland state agencies. RiskAnalytics has been identifying and shunning the Conficker variants sincethe original inception through its CYBER RiskTools Risk Management System.