The worm dubbed Win32/Conficker by ESET has ranked among the most wide-spread global threats already toward the end of last year. Compared to its original version, the variant is spreding even more agressively thanks to its ability to block signature updates of antivirus software. To increase its destructive power even further, its creators have added a function allowing it to spread by a way of USB key.
"The new functionality allowing it to infiltrate the system via a USB key plays an important role in the success of its spreading, since it is often the case that if an antivirus solution fails to detect the malware (due to AV‘s disabling), the only way to remove it is to upload the signature update or the "cure" via a USB device. During this procedure, however, the worm is known to pass to the USB device, which in effect continues to perpetuate its spread to other workstations," says Juraj Malcho, the head of ESET's Anti-virus Laboratory.
The worm's initial version contained a link to a domain known as the "center for the spread of spyware and false anti-virus products." This was o hoax, devised by the malware creators to lure the user into an elaborate remote -controlled botnet that could be potentially used for malicious purposes. Moreover, the authors of the malware applied an innovative method to controlling the worm - each day creating a new pseudo-random domain (domain posing as being randomly generated) where the worm reports for instructions. It was precisely this characteristic that made it possible for anti-virus specialists to map-out the actual size of the botnet - which according to present estimates contains millions of infected computers.
Globally, Win32/Conficker continues to rank among the top threats in the beginning of 2009. "Conficker has the potential to grow into an epidemic. It exploits a known vulnerability in Windows OS, which only contributes to its spreading on a massive scale." Compared to some other comparable worms, Conficker is more complex and has a higher degree of sophistication as far as its detection and removal are concerned," adds Malcho.
Removal of Win32/Conficker
1) Disconnect the infected computer from the network and the Internet.
2) Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 a MS09-001 .
3) Reset your system passwords to admin accounts using more sophisticated ones.
4) Download an one-off ESET application (again, using a non-infected PC) which will remove the worm.
5) Install the updated anti-virus program.
6) Re-connect the PC to the network and the Internet.