Cisco Security Intelligence Operations has identified a change in the Conficker worm command and control traffic. Additional analysis about this worm is available.
Aliases/Variants
Variants include W32.Downadup.B (Symantec) and W32.Downadup.C (Symantec).
W32/Conficker.worm is a worm that propagates across the network by exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is detailed in IntelliShield Alert 16941. The worm may download and execute additional malicious files on the system.
Upon execution, the worm creates a copy of itself in the \%System% folder using a random filename and a .dll extension. The worm determines if the infected system is running Windows 2000 and, if so, injects itself into the services.exe process. By injecting its code into this Windows process, the worm may evade security-related applications, as this process is safe.
If the infected system is not running Windows 2000, W32/Conficker.worm creates a service using the following characteristics:
Service name: netsvcs Path to executable: \%System%\svchost.exe -k netsvcs
The worm starts an HTTP server by opening a randomly chosen port between 1024 and 10000 and listens for incoming connections. The worm accomplishes this by using APIs to bypass the Windows Firewall. The worm also terminates the Internet connection sharing service.
The worm then connects to the domain trafficconverter.biz and attempts to download additional files. One of the known files is loadadv.exe. Once downloaded, the worm executes the files on the system. The worm may also contact the http://www.maxmind.com domain and download the geoip.dat.gz and geoip.dat files.
W32/Conficker.worm attempts to obtain the public IP address of the infected machine by connecting to one of the following sites that are used to determine the IP address of visitors:
www.getmyip.org getmyip.co.uk checkip.dyndns.org
By obtaining the IP address of the machine, the worm is able to determine the computer's geographic location. Reports indicate that the worm avoids infecting Ukrainian-located machines. The worm contacts the following sites to determine the current date:
Based on the dates that are obtained from these sites, W32/Conficker.worm then downloads files from certain domains. The worm creates a mutex on the system to ensure only one copy of itself is running at a time. The format of the mutex is Global\%random numbers%.
Virus definitions are available.
Impact
W32/Conficker.worm is exploiting the Microsoft Windows Server service RPC request handling code execution vulnerability to propagate to all vulnerable machines on the network. The worm starts an HTTP server, downloads and executes potentially malicious files, and modifies the system registry.
Warning Indicators
The presence of the file loadadv.exe may indicate an infection.
Outgoing connections to any of the following websites could also indicate an infection; however, it should be noted that such sites used to obtain your IP address are legitimate:
The worm also adds the value ImagePath = "\%operating system drive%\system32\svchost.exe -k netsvcs" to the following registry key as part of the service registration:
In some cases, the %random% value in the above registry addition has been vcdrlxeu; however, this is a random value and will most likely be different.
Virus Name:
W32.Downadup.B (Aliases include Win32/Conficker.B (CA), W32/Downadup.AL (F-Secure), Net-Worm.Win32.Kido.dv (Kaspersky), Net-Worm.Win32.Kido.fx (Kaspersky) and Worm:Win32/Conficker.B (Microsoft).)
Description
W32.Downadup.Bis a worm that attempts to prevent the system from accessing certain antivirus and security-related websites. Additionally, the worm disables several security related applications. The worm propagates through network shares by using a preconfigured set of passwords or by exploiting the Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability, which is described in IntelliShield Alert 16941.
When executed, the worm searches the registry for certain keys and, if they are absent, creates entries for them. W32.Downadup.B then creates copies of itself as %random file name%.dll in the following locations:
\%ProgramFiles%\Internet Explorer \%ProgramFiles%\Movie Maker \%System% \%Temp% C:\Documents and Settings\All Users\Application Data
The worm also modifies the registry to ensure the worm runs each time Windows starts. W32.Downadup.B then searches for any user-created System Restore points and deletes those entries.
The worm creates a service with the following properties:
The worm also registers itself as a service. W32.Downadup.B selects a display name for this service by combining two of the following words:
Boot Center Config Driver Helper Image Installer Manager Microsoft Monitor Network Security Server Shell Support System Task Time Universal Update Windows
On Microsoft Windows Vista systems, the worm disables the TCP/IP auto-tuning to propagate quickly. The worm also modifies the registry to spread over the network in a faster manner.
W32.Downadup.B may terminate the following Windows services:
Background Intelligent Transfer Service (BITS) Windows Automatic Update Service (wuauserv) Windows Security Center Service (wscsvc) Windows Defender (WinDefend) Error Reporting Service (ERSvc) Windows Error Reporting Service (WerSvc)
On Windows XP SP2 and later, the worm modifies the tcpip.sys file in the \%System%\Drivers folder in an attempt to disable the half-open connections limit. The worm then modifies the registry to attempt to hide its actions on the infected system.
W32.Downadup.B locates available ADMIN$ shares and attempts to connect to them by using a preconfigured list of common, weak passwords.
Once connected, the worm copies itself to the share as %random file name%.dll to the \%share name%\ADMIN$\System32 folder. The worm uses the following command to place a scheduled job in the share that will execute each day:
Once the address is obtained, the worm places a firewall rule on the gateway device to allow the attacker to connect and download files from the the infected system using a random port between 1024 and 10000. The worm also creates an HTTP server on a random port using the following format:
http://%external IP address%:%random port%
The worm then sends this URL to remote systems.
The worm may copy itself to mapped drives as %random file name%.dll to the \%DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d folder. The worm may also create an autorun.inf file in all drives to ensure it runs each time the drives are accessed. W32.Downadup.B monitors the system for new drives, and if they are located, attempts to infect those drives.
The worm may attempt to hook certain Window API calls to propagate. The worm may also hook the NetpwPathCanonicalize API to prevent itself from continually exploiting the previously mentioned Microsoft vulnerability. The PathName may contain a signature that provides the worm with an encrypted URL to download and execute a file.
If the system date has exceeded January 1, 2009, the worm creates a list of domain names using the following format: %generated domain name%.%top level domain%. The %top level domain% is chosen using one of the following domains:
.biz .info .org .net .com .ws .cn .cc
The %generated domain name% is randomly generated by the worm, but the following domain names have been associated with this infection:
The worm then attempts to access the domain using the following URL: http://%generated domain name%.%top level domain%/search?q=%d. If successful, the worm downloads an updated copy of itself from this remote location.
Impact
W32.Downadup.B attempts to prevent the system from accessing certain antivirus and security-related websites and also disables several Windows services. The worm spreads through network shares with weak passwords and also by exploiting the Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability that is described in Microsoft bulletin MS08-067 and IntelliShield Alert 16941.
Warning Indicators
The presence of the %random file name%.dll file may indicate an infection.
Outgoing connections to any of the following websites could also indicate an infection, but the sites that are used to obtain IP addresses are legitimate:
The worm adds the following values to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%worm generated service name% to register itself as a service:
The worm adds the value %random name% = "rundll32.exe "%random file name%.dll", ydmmgvos" to the following registry key to ensure it runs each time Windows starts:
W32.Downadup.C Aliases include Win32/Conficker.C (CA) and W32/Downadup.DY (F-Secure).)
Description
W32.Downadup.C is a trojan that targets systems that are already infected with the Conficker worm. The trojan itself is not a true variant of Conficker; however, it is used as a module to alter the behavior of previously infected systems.
When executed, the trojan disables the following security-related services:
BITS ERSvc WerSvc WinDefend wscsvc wuauserv
The trojan also prevents the automatic startup of certain security software applications by modifying the system registry and also prevents the system from starting in safe mode. W32.Downadup.C may terminate processes that contain the following strings in their names:
The trojan modifies the system registry to ensure it runs each time Windows starts. The trojan also creates a service that has an Automatic startup type and the service name is chosen from a combination of the following two lists, respectively:
DM ER Event help Ias Ir Lanman Net Ntms Ras Remote Sec SR Tapi Trk W32 win Wmdm Wmi wsc wuau xml
access agent auto logon man mgmt mon prov serv Server Service Srv srv svc Svc System Time
The trojan patches the following Windows APIs to make DNS requests or request URLs:
W32.Downadup.C monitors DNS requests made to numerous antivirus and security-related domains. The trojan then blocks access to the domain and the DNS just appears to have timed out.
The trojan attempts to contact any of the following websites to obtain the current date and time:
If the current system date is on or after April 1, 2009, the trojan uses the date information obtained to generate a list of domain names. The trojan then contacts the domains in an attempt to download additional malicious code onto the system. The trojan also connects itself to a P2P network as several UDP connections can be observed when it attempts to establish a connection.
Virus definitions are available.
Impact
W32.Downadup.C is a trojan that targets systems that were previously infected by the Conficker worm. This trojan disables numerous security-related software in an attempt to keep the main Conficker worm installed on the system. The trojan also downloads additional malicious software to the system.
Warning Indicators
W32.Downadup.C creates files with random filenames which can impede identification via filenames. The trojan disables numerous antivirus and security-related tools and utilities, which could indicate that the system is infected.
Personal firewalls may display a notification message when the trojan attempts to connect to the Internet and download files.
Host intrusion detection/prevention system software may display a notification when the trojan attempts to execute or make modifications to the system.
Technical Information
W32.Downadup.C deletes the following registry keys to prevent the automatic startup of Windows Defender and to disable Windows Security Alert notifications:
W32/Conficker.worm, also known as Downadup, received updates that scheduled infected systems to launch attacks against several legitimate domains in March 2009. Security researchers released information that indicated these attacks were targeting jogli.com, wnsux.com, and qhflh.com domains. The wnsux.com domain is run as a secondary domain by Southwest Airlines, which was scheduled to be attacked by the worm on March 13, 2009. A distributed denial of service (DDoS) attack against this domain could have disrupted online check-in as well as other services. The worm has traditionally used a pseudo-random domain name generator, which produced 250 domains a day that infected machines would then try to contact. Now, with the new module and
upgraded domain generation algorithm, the worm is able to generate 50,000 domains a day. With these updates, the worm is attempting to avoid detection and protect the use of currently infected machines. Sources also indicate that the operators of the Conficker botnet are selling portions of the botnet to malicious users.
W32.Downadup.B creates an autorun file and copies itself to the root of all devices with mapped storage. The autorun file is used to automatically run a copy of the worm each time an infected drive is accessed or connected to a new system. Worms that use this type of propagation routine do not typically become widespread because the propagation routine is highly dependent on Windows autorun settings. Users must also physically connect infected removable devices to uninfected systems. One of the reasons this propagation routine is so effective in Windows Vista is that the autorun.info file manipulates the action keyword displayed to the user when the infected device is accessed or connected to a machine. The action keyword reads Open folder to view files, but it is really using the action Install or run program. This social engineering tactic will likely fool many users. This propagation routine also has the ability to bypass well-configured perimeter defenses because the infection could be in the hands of an unsuspecting employee's USB flash drive.
W32/Conficker.worm and W32.Downadup.B are exploiting the Microsoft Windows Server service RPC request handling code execution vulnerability, which is described in IntelliShield Alert 16941. The worms attempt to spread to other systems that reside on the same local subnet by exploiting this vulnerability.
The W32.Downadup.C variant is, in reality, an update to the main Conficker worm. The variant appears to target systems that have been previously infected with Conficker. Security experts speculate that attackers released the variant to prevent recovery operations on systems that are infected with Conficker. The variant disables numerous antivirus and security-related applications, which would make the diagnostic and recovery efforts extremely difficult. As of April 1, 2009, the W32.Downadup.C variant began polling 500 of 50,000 domains per day. Currently, only limited network activity associated with this new routine has been observed with little or no impact to affected systems or networks.
As of April 8, 2009, the Conficker botnet downloaded an update that exhibits more similarities with the Waledac botnet, which is described in IntelliShield Alert 17327. The new update has Conficker and Waledac both contacting the same domains to obtain updates. Also, both botnets appear to hook into the Wireshark application on a client's system in the same way. When a user opens Wireshark on an infected system, the worm terminates the application initially. If the user attempts to open the application again, the worm prevents Wireshark from displaying any network interfaces. Instead of terminating the application, the worm allows the application to run but does not allow a user to view network traffic. This behavior may be unique to these botnets because most malicious code is programmed to terminate specific, targeted applications. The operators of these botnets likely chose this routine in an effort to to make it more difficult for users to view the network traffic that these botnets produce.
The previously reported command and control traffic that used UDP packets over P2P connections to download updates to infected systems has ceased on April 9, 2009. Cisco Security Intelligence Operations recently observed the command and control traffic using TCP port 443, which are normally used for SSL-encrypted traffic. Similar encrypted traffic was also observed over TCP port 80. Because the traffic is not using an SSL key exchange, administrators may need to update their mitigations to detect and block this traffic.
This change does not affect the W32/Conficker.worm and W32.Downadup.B, which account for most of the infected hosts. Additionally, the W32.Downadup.C variant may continue to use P2P capabilities to gain updates from other infected hosts without contacting a malicious domain.
Some public reports assert that variants of W32/Conficker.worm have infected over 9 million systems as of January 17, 2009. Administrators are advised to block all known domains associated with this worm because the domains carry the exploit and other malicious files. One method an administrator could use would involve implementing BGP black hole filtering techniques to discard network traffic to and from domains known to be associated with the Conficker family of worms. These techniques can allow an entity to disrupt communication between infected hosts and malicious domains with little impact to the rest of the network. Administrators should also take steps to isolate any suspected infected systems until the system can be restored. Many antivirus vendors have released Conficker removal tools to assist in
the restoration of systems that are known to be infected by a variant of Conficker. Additionally, multiple vendors have incorporated Conficker detection capabilities in their scanning products.
Because of the vast number of infected hosts, security groups should assess the risk this worm presents their specific organizations. All key stakeholders from senior staff to security response and IT teams should be briefed on a strategy to prevent and combat infection. An organization should not focus its efforts on one group or technology. Instead, organizations should use defense-in-depth strategies to combat the propagation and update of the worm at multiple levels.
Additionally, administrators can assist in industry-wide efforts to combat Conficker. By sharing information with industry and peer groups, organizations can help identify new trends associated with the worm. One such organization is the ICASI Security Incident Response Team. Additionally, administrators should consider passing examples of suspected new variants of Conficker to antivirus vendors to assist in the timely production of virus definitions and removal tools.
Studies released by antivirus vendors Symantec and F-Secure indicate that the worm mainly affects systems in Argentina, Brazil, China, and Russia. Approximately one percent of the currently infected systems reside in the United States. These studies are available at the following links: F-Secure and Symantec. The Microsoft Malware Protection Center has also released a response blog at the following link: Microsoft. Members of the information technology industry have formed a collaborative group focused on combating the effects of Conficker. A list of articles, removal tools, malicious web sites, and additional details may be found at the Conficker Work Group home page. The group has been working to
block access to the domains to which Conficker attempts to connect.
Rule-based and application-based firewalls are likely to prevent or limit the impact of these worms. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often setup to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and process access to the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or web site and from accessing local network resources.
Most host intrusion detection/prevention systems software, such as Cisco Security Agent can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this worm from attempting to execute its infection routines. Host intrusion detection/prevention systems software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.
Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.
Administrators are strongly encouraged to apply the MS08-67 update available from Microsoft to prevent attacks by the malicious code, and to review the aforementioned Cisco Applied Mitigation Bulletin for methods of identifying and mitigating attack attempts.
Safeguards
Administrators are advised to apply the MS08-67 Microsoft update to prevent attacks by these worms.
Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.
Block all file attachments except those specifically required for business purposes.
Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.
Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.
Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.
Provide initial and continuing education to all levels of users throughout the organization.
Network monitoring tools may assist administrators in detecting heavy network usage or trends that could indicate compromised systems.
Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by the worm and also active exploitation of the Microsoft Windows Server service RPC request handling code execution vulnerability. As a result, attempts to infects systems and to propagate using this method by the worm are mitigated. Based on the characteristics of the vulnerability, Cisco expects that Cisco Security Agent will prevent other similar exploitation attempts as well.
Patches/Software
The Aladdin Virus Alert for Win32.Conficker is available at the following link: Virus Alert. Virus definitions have been available since January 13, 2008, at the following link: Aladdin
The AVIRA Threat Description for Worm/Conficker is available at the following link: Threat Description. The latest AVIRA Virus Definition File Versions are available at the following link: AVIRA VDF
The BitDefender Virus Threat for Win32.Worm.Downadup.Gen, as well as the signature and engine information, is available at the following link: BitDefender
The CA Virus Threat for Win32/Conficker.A, as well as the signature and engine information, is available at the following link: CA
The CA Virus Threat for Win32/Conficker.B, as well as the signature and engine information, is available at the following link: CA
The CA Virus Threat for Win32/Conficker.C, as well as the signature and engine information, is available at the following link: CA
The F-Secure Virus Description for W32/Downadup.gen is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.A is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.AL is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.AY is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The Kaspersky virus description for Net-Worm.Win32.Kido.bt is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
The Kaspersky virus description for Net-Worm.Win32.Kido.dv is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
The Kaspersky virus description for Net-Worm.Win32.Kido.fx is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
Kaspersky has also released Anti-Virus Update files that detect the following: Net-Worm.Win32.Kido.a, Net-Worm.Win32.Kido.ae, Net-Worm.Win32.Kido.am, Net-Worm.Win32.Kido.ap, Net-Worm.Win32.Kido.bv, Net-Worm.Win32.Kido.c, Net-Worm.Win32.Kido.cu, Net-Worm.Win32.Kido.ef, Net-Worm.Win32.Kido.eo, Net-Worm.Win32.Kido.fo, Net-Worm.Win32.Kido.gen, Net-Worm.Win32.Kido.he, Net-Worm.Win32.Kido.hr, Net-Worm.Win32.Kido.i, Net-Worm.Win32.Kido.j, Net-Worm.Win32.Kido.r, Net-Worm.Win32.Kido.s, and Net-Worm.Win32.Kido.y
The McAfee Virus Description for W32/Conficker.worm is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The McAfee Virus Description for W32/Conficker.worm.gen.a is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The McAfee Virus Description for W32/Conficker.worm.gen.b is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The Microsoft Virus Analysis for Win32/Conficker.A is available at the following link: Virus Description. The latest definitions for the Microsoft products are available at the following link: Microsoft Malware Protection Center
The Microsoft Virus Analysis for Win32/Conficker.B is available at the following link: Virus Description. The latest definitions for the Microsoft products are available at the following link: Microsoft Malware Protection Center
The Norman antivirus description for W32/Conficker is available at the following link: Virus Description. Users can obtain the latest definitions using the Norman Internet Update module.
The Panda Software Virus Alert for Conficker.A is available at the following link: Virus Alert. The latest virus signature files are available at the following link: Panda Software
The Panda Software Virus Alert for Conficker.C is available at the following link: Virus Alert. The latest virus signature files are available at the following link: Panda Software
Sophos has also released identity files that detect the following: W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D,W32/Confick-E, W32/Confick-F, and W32/Confick-G
The Symantec Security Response for W32.Downadup is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Symantec Security Response for W32.Downadup.B is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Symantec Security Response for W32.Downadup.C is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Trend Micro Virus Advisory for WORM_DOWNAD.A is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro
The Trend Micro Virus Advisory for WORM_DOWNAD.E is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
Version 17, April 9, 2009, 3:47 PM: IntelliShield has identified recent activity about the Conficker worm. Additional analysis has been provided about this worm.
Version 16, April 1, 2009, 3:51 PM: Limited activity with little or no impact has been observed on April 1, 2009 as Conficker has modified the routines used to contact domains.
Version 15, March 30, 2009, 4:29 PM: Information related to the Conficker Work Group has been added to the analysis section.
Version 14, March 27, 2009, 4:53 PM: Additional technical information and mitigations are available for the W32/Conficker.worm worm and its variants.
Version 13, March 12, 2009, 9:23 AM: CA and F-Secure have released virus definitions to detect aliases of W32.Downadup.DY.
Version 12, March 10, 2009, 10:47 AM: Norman has released virus definitions to detect W32/Conficker, an alias of W32/Conficker.worm.
Version 11, March 9, 2009, 5:50 PM: Symantec has released virus definitions to detect W32.Downadup.C, a variant of W32/Conficker.worm. Sophos has also released virus definitions to detect aliases of W32/Conficker.worm variants.
Version 10, January 27, 2009, 10:23 AM: Kaspersky has released virus definitions that detect aliases of W32/Conficker.worm.
Version 9, January 19, 2009, 3:48 PM: Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by active exploitation of the MS08-067 vulnerability, which may reduce exploitation attempts by W32/Conficker.worm.
Version 8, January 15, 2009, 5:38 PM: Aladdin has released virus definitions that detect Win32.Conficker, an alias of W32/Conficker.worm.
Version 7, January 13, 2009, 12:54 PM: Multiple vendors have released virus definitions to detect aliases of W32/Conficker.worm.
Version 6, January 6, 2009, 5:00 PM: Reports indicate that the W32/Conficker.worm is actively propagating in the wild.
Version 5, January, 6, 2009, 8:37 AM: CA and Microsoft have released virus definitions that detect aliases of W32.Downadup.B. Additional information is also available.
Version 4, January 5, 2009, 8:59 AM: Symantec has released virus definitions that detect W32.Downadup.B, which is a variant of W32/Conficker.worm. F-Secure has also released virus definitions that detect W32/Downadup.AL, an alias of W32.Downadup.B.
Version 3, December 2, 2008, 8:57 AM: F-Secure and Symantec have released virus definitions that detect aliasesof W32/Conficker.worm.
Version 2, November 27, 2008, 11:06 AM: Panda has released virus definitions that detect Conficker.A, an alias of W32/Conficker.worm.
Version 1, November 26, 2008, 12:29 PM:W32/Conficker.worm is a worm that exploits the Windows Server service RPC request handling code execution vulnerability to propagate, and downloads and executes malicious files on the system. Virus definitions are available.
Business Base, SP1 | Business x64 Edition Base, SP1 | Enterprise Base, SP1 | Enterprise x64 Edition Base, SP1 | Home Basic Base, SP1 | Home Basic x64 Edition Base, SP1 | Home Premium Base, SP1 | Home Premium x64 Edition Base, SP1 | Ultimate Base, SP1 | Ultimate x64 Edition Base, SP1
Microsoft, Inc.
Windows XP
Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP2
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
