The Conficker Worm infected millions PC’s worldwide. First make sure that you are able to visit:

Microsoft.com.  Symantec.com.  McAfee.com.

If you can’t access the sites, you might be infected!
Let’s find out what the worm is doing and how to remove it.

What is the Worm doing?

This part is quite interesting, the worm is doing a lot of things in order to exploit you as a host. It even downloads a database to find out your location! Source: http://www.symantec.com/

Once executed, the worm copies itself as the following file:

%System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:

Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\”ServiceDll” = “[PathToWorm]”

The worm connects to the following URLs to obtain IP address of the compromised computer:

• http://www.getmyip.org
• http://getmyip.co.uk
• http://checkip.dyndns.org

Downloads a file

Next, the worm downloads a file from the following URL and executes it:

http://trafficconverter.biz/4vir/antispyware/loada[REMOVED]

The worm then creates a http server on the compromised computer on a random port, for example: http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

The worm then sends this URL as part of its payload to remote computers.

Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

You spread the worm to other PC’s

In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

Next, the worm connects to a UPnP router and opens the http port. It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

The worm then attempts to download a data file from the following URL:

http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz

Security Hole

The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). Next, the worm attempts to contact the following sites to obtain the current date:

• http://www.w3.org
• http://www.ask.com
• http://www.msn.com
• http://www.yahoo.com
• http://www.google.com
• http://www.baidu.com

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer.

The W32.Downadup.A worm was the first worm discovered in the wild that was successfully leveraging MS08-067 in a widespread fashion. Symantec carried out an in-depth analysis of this threat and discovered that infected hosts will generate 250 pseudo-random domain addresses each day, in preparation of attempting to contact them later on to download and execute an update binary.

By now the worm targets about 500 domains, which will be contacted to download and execute a file.

How to remove the worm?

Well if you are infected, then you can download a removal tool from Symantec. The irony is that you won’t be able to access the site, so I thought I would upload the file for infected users.

Symantec Download Page (if you can’t access it you are infected, see download below)

FixDwndp Download