Home of the World Famous VIRUS BUSTERS
Download Antivirus Software
What to Do If You Have a Virus
Virus Filtering
Viruses Seen at U-M
Hoaxes, Hooey, and Hogwash
Urban Legends
U-M Resources
Other Resources
Contact Us
We Ain't 'Fraid O' No Virus!

Notes On The Conficker Worm

March 31, 2009

In November 2008, a new worm was discovered; it was named W32/Conficker.A Subsequent variants have been named W32/Conficker.B and W32/Conficker.C. These worms exploited the MS08-067 Microsoft Windows vulnerability (leaving our site), which was patched by Microsoft on Tuesday, October 14 2008 -- before the Conflicker worm was released. In other words, this worm would have been a non-issue if everyone applied Windows Updates promptly.

But of course, many people worldwide do not apply Windows Updates promptly, or have versions of Windows for which updates fail ("pirated" versions are reported not to update, but I've never tested that). So a lot of machines world-wide got infected, although at the University -- where people seem to be good both about updating Windows, and about using antivirus sfotware -- it appears that Conficker has been very rare indeed.

Conficker.C, discovered in March 2009, has a method of updating itself that starts to take effect on April 1 2009. This has generated a whole lot of media attention. In the opinions of many antivirus experts world-wide, however, the media "gloom-and-doom" is unlikely to represent what will actually happen.

So while it is important to keep Windows updated and to have top-quality antivirus software -- and to keep that antivirus software updated also -- the world probably won't end on April 1 2009, at least not because of Conficker. As a colleague of mine said. "If the world DOES end, we'll let you know." ;-)

What are the important points?

  • Make sure your Windows Updates are current. Now, and all the time. This is done most easily by letting Windows install its updates automatically.

  • Install VirusScan or other top-quality antivirus software.

  • Make sure that your antivirus software has current virus definitions. For VirusScan, do this by right-clicking on the VirusScan icon in the System Tray and selecting [About VirusScan Enterprise]; it should report DATs that are no more than one day old, even on weekends.

    As of this writing on March 31 2009, it should report "VirusScan Enterprise + Anti-Spyware Module 8.5i", with the 5300 engine, the 5570 DATs (released March 31 2009), and Patch 6. Older DATs handle all known Conficker variants, and have almost as soon as variants were discovered, so you've probably been protected for months if you're using the U-M build of VirusScan - but better yet to have the most recent ... even if those newer virus definitions mostly are protecting you against things other than Conficker.

That pretty much covers it.

For an excellent discussion in layman's terms of what Conficker is and, perhaps more important, is not, see F-Secure's writeup (leaving our site).

   -BPB

If you'd like to pass this information along to others, I suggest that you provide a pointer to this URL (http://virusbusters.itcs.umich.edu/conficker.html)

For virus or hoax info, please see our main page (http://virusbusters.itcs.umich.edu/) or go to another reputable site, like The Urban Legends Reference Pages.

 

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)

U-M Virus Busters

virus.busters@umich.edu

ITS | University of Michigan
Copyright © 1996-2008 The Regents of The University of Michigan

visits since this site was redesigned 5/21/04

This page last updated March 31, 2009