Custom Search

Search My Download Corner

Friday, April 3, 2009

Run a Conficker removal tool before April 1

Computer users should apply the Microsoft patch and Microsoft has a Conficker removal tool. These recommendations won't work if the worm is controlling your PC. Conficker.C prevents access to Users who haven't gotten the latest Windows updates should go to to confirm if they fear they're infected. The Safety subdomain of is another URL that victims of Conficker.C can't visit. Visit SANS Diary information page, updated on March 28 by researcher Andre L. to educate end users about Conficker, provides numerous links to security vendors. All of the links in the page's sections titled "Removal Instructions" and "Removal Tools" are blocked if a person's PC is infected with Conficker.C, with the exception of one domain recently created by security firm BitDefender

Computers infected with the infamous Conficker worm will start scanning the Internet for instructions this April Fools' Day. However many PCs are in Conficker's bot army, they won't all launch a massive attack on April 1. Instead, that's the date on which the bots will start looking for instructions. The infected machines are programmed to query several hundred domain names of possible control servers a day. It'll take weeks for most of the bots to connect (although they can cause a lot of spam or denial-of-service attacks after they do). A computer infected with Conficker.C is prevented from accessing many security-oriented Web sites. When a user tries to get patches from, say, Microsoft or Symantec, a browser will time out, suggesting to the user that the site is down.

Download Conficker Worm Patch WindowsXP-KB958644-x86-ENU

If your PC is infected, a technical trick might enable you to visit a site that Conficker is blocking. Instead of entering the site's domain name in your browser's address bar, enter the site's dotted-decimal IP address instead, which Conficker doesn't seem to interfere with. For example, Conficker might block your browser from showing the Computer Associates advisory I just mentioned. If so, you could replace the domain name shown in the first line below ( with the dotted-decimal IP address shown in the second line (

Here's one way to learn the IP address of a Web site: using an uninfected PC, open a Firefox window and install the Show IP browser extension. With this extension enabled, the IP address of whatever site you're visiting shows up in the browser's status bar.

How to update your PC and remove Conficker

The following steps should prevent infection by Conficker and eliminate the worm, if your PC has it. One positive side effect is that you'll enjoy a computer with up-to-date patches:

* Step 1. Attempt to run Microsoft Update. The Conficker worm can infect vulnerable computers merely by connecting to them remotely via the Internet. For this reason, you should first try to patch Windows before removing Conficker, lest your machine quickly become infected again. It's particularly important to install Microsoft patch 958644 (security bulletin MS08-067). This patch closes a hole in Windows' Remote Procedure Call, which Conficker exploits.

If you can't find Microsoft Update (or the more limited Windows Update) on your PC's Start menu, visit the Microsoft Update page on the Web. Internet Explorer is required.

Microsoft Update might complete successfully, or you might not be able to access at all. In either case, do Step 2.

* Step 2. Attempt to update your third-party security software. Having the latest antivirus signatures will help eradicate Conficker and other malware that may be lurking on your PC. Use your security software's menu to manually update to the latest defenses.

Have no security software? Read the WS Security Baseline, which summarizes the products that are currently rated the highest by respected reviewers.

• If your updated security software deems your PC to be cleaned up, but you couldn't previously access, go back to Step 1 and run Microsoft Update.

• If you couldn't access your security vendor's site at all, do Step 3.

• If you finished both Steps 1 and 2 successfully, you should be able to skip Step 3 and do Step 4.

* Step 3 (optional). Run a standalone Conficker removal tool, if need be. The Conficker Working Group — a coalition of Microsoft, Cisco, SRI, F-Secure, Kaspersky, and many other security vendors — maintains a list of certified detection and repair tools, any of which should remove Conficker. (Contributed by Susan Bradley .)

Unfortunately, most the links in the Working Group's list are inaccessible on a Conficker-infected PC. A victim can't even reach the Working Group's site, because it has in its URL the string conficker, which triggers the worm's blocking behavior.

As mentioned earlier, security firm BitDefender has set up a new domain from which users can download free Conficker disinfectant utilities. This site,, is not currently blocked by the worm, to the best knowledge of all. The site offers three options: (a) a free online scan; (b) a free, downloadable Single PC Removal Tool for individual users; and (c) a free Network Removal Tool, an .exe file that IT admins can use to disinfect an entire LAN. Visit BitDefender's download site.

If you can't access or any other security site from your PC, find a machine that isn't infected (such as a public-access workstation at a library). Don't use a search engine to look for removal tools, some of which are bogus. Instead, download a removal tool from the Working Group's certified list onto a USB drive, and then use that drive to run the software on the infected PC.

• After removing Conficker, if you couldn't previously complete Steps 1 and 2 successfully, go back now and finish those steps to update Windows and your security software.

• Once you've completed Steps 1 and 2, do Step 4.

* Step 4. Run Secunia's Software Inspector to catch missing application patches. Third-party applications, especially media players, are more likely to suffer from security holes than Windows itself is. The security firm offers a free scan, informing you when your PC is running an insecure version of an application that has a security patch available.

Like, the Secunia Software Inspector offers three options: (a) a free online scan; (b) a free download for individual users; and (c) a LAN utility for IT admins. Unlike BDTools' network tool, which is free, Secunia's LAN product costs €5,000 (U.S. $6,500) per year and up, depending on the size of your company.

To run Software Inspector, see Secunia's vulnerability scanning page.

In the best of opinion, everyone should use Software Inspector at least once a month, right after installing Microsoft's patches the week of Patch Tuesday.

* Step 5 (optional). Advanced users — use OpenDNS to restrict infected PCs. OpenDNS, a San Francisco–based company, provides a free, real-time service that prevents PCs from accessing phishing and hacker sites, among others. Admins of small and large LANs can use OpenDNS as a Domain Name System server.

The firm introduced on Feb. 9 a new, Conficker-specific feature. If an infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from contacting Conficker's control servers. Best of all, admins can read a report showing which PC tried to connect to a Conficker server.

For details, read Dan Gookin's Register article and OpenDNS's announcement.

New instructions from the worm's author will probably make the bots disable a PC's access to BDTools, Secunia, and many other sites that were not on Conficker's original block list. Some security researchers have speculated that an update to Conficker will even prevent infected PCs from installing MS08-067.

It's best to strengthen your defenses before April 1 rather than waiting to see what bad things might happen.

Related Post:
Disabling Auto-Run in Windows
AutoPatcher Comeback
Keep the latest Conficker worm infestation off your PC

View blog reactions


Post a Comment