What is Conficker/Downadup and what should I do if I think I am infected?

What is Conficker/Downadup?

Conficker/Downadup is a malicious computer worm. It spreads using a bug in Microsoft Windows operating systems, by guessing simple passwords for computer accounts and by using removable storage (eg. USB Flash Drives) that is infected. (read more on the Wikipedia Conficker page)

What will it do and when will it do it?

Currently people do not know exactly what Conficker will do. On the 1st of April 2009 some versions of Conficker will attempt to contact various random web sites. This may allow the creators of Conficker to give instructions to the infected systems. (read more on the F-Secure Q&A)

What are the signs of infection?

Users may not be able to log into their computer accounts
Windows update may be disabled
Common anti-virus products may be disabled
Access to many security-related websites may not work, including, but not limited to: Microsoft, Symantec, Sophos, Mcaffee and Trend Micro.

Two web pages are available to help check whether you are infected. The first is designed to display just a green tick (not infected) or a yellow warning (possibly infected) image. The second will display various logos from web sites that conficker attempts to block. If images are missing then you may be infected. The second site gives more details about what different images mean if they are present or missing.

1) http://iv.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
2) http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

What to do if you think you are infected?

If you think your computer may be infected, then there is some removal software available. The following is a list of some of the Conficker removal tools. Conficker attempts to stop users connecting to some web sites. Therefore if you cannot access one of the sites listed below, try the next one. The first two are the least likely to currently be blocked by Conficker.

If none of the sites work, you could download the tools from a different (non-infected) computer, and copy them to the infected computer. Make sure you have an up to date virus scanner on the uninfected computer before copying any files between computers. This is extremely important if you use a USB flash drive, as it may get infected with Conficker.

What can I do in the future?

There are quite a few different ways you can help secure your computer. Some of the main ways are:

Keeping your computer software up to date (always install patches and fixes)
Run an up to date virus scanner
Run a firewall
Be careful when dealing with attachments and links in emails (if in doubt call or email the person about the attachment or link)

Stay informed by signing up to the Stay Smart Online Alert Service. Here you will receive occasional emails about bug fixes to install and nasties to avoid (see the previous Advisory about Conficker). These Alerts and Advisories are also available via the website. You can find further information and details about keeping your computer safe from the Fact Sheets and Newsletters.

		SEARCH
Home Advisories Alerts Newsletters Subscribe or Log In Visit Stay Smart Online	Larger text Smaller text You are here: Stay Smart Online Alert Service > What is Conficker/Downadup and what should I do if I think I am infected? What is Conficker/Downadup and what should I do if I think I am infected? What is Conficker/Downadup? Conficker/Downadup is a malicious computer worm. It spreads using a bug in Microsoft Windows operating systems, by guessing simple passwords for computer accounts and by using removable storage (eg. USB Flash Drives) that is infected. (read more on the Wikipedia Conficker page) What will it do and when will it do it? Currently people do not know exactly what Conficker will do. On the 1st of April 2009 some versions of Conficker will attempt to contact various random web sites. This may allow the creators of Conficker to give instructions to the infected systems. (read more on the F-Secure Q&A) What are the signs of infection? Users may not be able to log into their computer accounts Windows update may be disabled Common anti-virus products may be disabled Access to many security-related websites may not work, including, but not limited to: Microsoft, Symantec, Sophos, Mcaffee and Trend Micro. Two web pages are available to help check whether you are infected. The first is designed to display just a green tick (not infected) or a yellow warning (possibly infected) image. The second will display various logos from web sites that conficker attempts to block. If images are missing then you may be infected. The second site gives more details about what different images mean if they are present or missing. 1) http://iv.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/ 2) http://www.confickerworkinggroup.org/infection_test/cfeyechart.html What to do if you think you are infected? If you think your computer may be infected, then there is some removal software available. The following is a list of some of the Conficker removal tools. Conficker attempts to stop users connecting to some web sites. Therefore if you cannot access one of the sites listed below, try the next one. The first two are the least likely to currently be blocked by Conficker. F-Secure Malware Removal Tool BitDefender AhnLab ESET Kaspersky McAfee Microsoft Malicious Software Removal Tool Sophos Symantec FixDownadup.exe Notes TrendMicro If none of the sites work, you could download the tools from a different (non-infected) computer, and copy them to the infected computer. Make sure you have an up to date virus scanner on the uninfected computer before copying any files between computers. This is extremely important if you use a USB flash drive, as it may get infected with Conficker. What can I do in the future? There are quite a few different ways you can help secure your computer. Some of the main ways are: Keeping your computer software up to date (always install patches and fixes) Run an up to date virus scanner Run a firewall Be careful when dealing with attachments and links in emails (if in doubt call or email the person about the attachment or link) Stay informed by signing up to the Stay Smart Online Alert Service. Here you will receive occasional emails about bug fixes to install and nasties to avoid (see the previous Advisory about Conficker). These Alerts and Advisories are also available via the website. You can find further information and details about keeping your computer safe from the Fact Sheets and Newsletters.
	Last Updated: 2009-03-27 Copyright \| Privacy \| Disclaimer