Downadup/Conficker Worm Removal Tools

Understanding and Defeating
the Conficker Worm

Conficker (also known as Downadup, Downup and Kido) is a computer worm that targets all major Windows operating systems. The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on all versions of Windows. A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. The known symptoms of the virus include large numbers of invalid logos and account lockouts, “The page cannot be displayed” message in web-browser and a few more.

Because this worm tries to log in to network shares with weak administrator passwords (a dictionary-based, brute-force attack) to gain control over systems, one result is a large number of account lockouts. The freeware Netwrix Account Lockout Examiner tool detects and alerts on lockouts in real time and identifies which computers they are coming from, helping you identify the presence of the worm and mitigate its impact.

Known Symptoms

  1. The message "The page cannot be displayed" appears when you try to navigate to certain websites, such as microsoft.com, mcafee.com and trendmicro.com, that can help you combat the conficker worm. This happens because the worm blocks some strings in DNS requests. This issue can be solved by using a proxy server.
  2. Unusually large numbers of invalid logons and account lockouts occur on many computers. These are caused by the worm’s brute-force attacks.
  3. A hidden Autorun.inf file is created on removable media and network drives as the worm tries to spread itself around.
  4. A randomly named Windows service appears in the list of services to start automatically during system boot.

Hotfixes

Use one of these URLs to download a conficker removal tool. Be sure to use a proxy server to perform the download.

Account Lockouts

Netwrix Account Lockout Examiner helps you respond effectively to some of the consequences of Conficker/Downadup propagation. The product tracks all account lockouts in real time so you can quickly identify infected machines, install required hotfixes, unlock accounts in bulk and launch a conficker removal tool. This freeware tool also helps you identify the root cause of each account lockout so that you can separate worm-related lockouts from "normal" account lockouts caused by issues such as improperly mapped network drives, services and scheduled tasks using stale credentials, and so on.