Back on Oct. 23, 2008, Microsoft released a critical security update for Windows: MS08-067. Isolated attacks existed at the time of the bulletin release and in our blog we strongly recommended installing the security update as quickly as possible. Later, a few trojans that exploit this vulnerability were found and a month from the release of the bulletin we blogged again, this time about the first worm which exploited that vulnerability: Win32/Conficker (here and then here).

Over the last couple of weeks, a new variant of this worm has been affecting customers. We detect it as Worm:Win32/Conficker.B. In addition to exploiting MS08-067, this variant also uses other propagation methods; it tries to copy itself to network shares by guessing their passwords. If the password is weak, it may succeed. It also tries to spread via removable media.

Conficker Infection Diagram

The malware utilizes several layers of polymorphism and packing to hinder analysis and detection. Beyond that, infected users may have difficulty locating Conficker’s dropped files. It replaces the access rights for its registered key under HKLM\SYSTEM\CurrentControlSet\Services, allowing only Local System account to read, traverse or change discretionary ACL (Access Control List). Similar behavior goes for its system32 DLL file – all the NTFS permissions, except  file execute, are stripped for all users. Additionally, the malware keeps a system lock on its entire file making it difficult for standard tools to access and/or remove the threat while it is running. The January version of the MSRT can detect and remove this worm despite all these tricks.

A number of our customers have contacted our support team for assistance with containment in environments that were, largely, not patched when the worm was released. Either security update MS08-067 was not installed at all or was not installed on all the computers. Most of these customers are running large networks as file sharing and network shares are more common in those environments than in homes. This malware has infected computers in many different parts of the world. The countries/regions from which we received the highest number of reports are US, Mexico, France, UK, Spain, Canada, Italy, Brazil, Korea, Germany, Malaysia, and the Czech Republic.

To help customers who are affected, we decided to add capabilities to detect and remove this worm to the January version of the MSRT. This version is released today and is available here. If your computer or environment is impacted by this malware, you may want to run the MSRT to help disinfect it. The first step would be to install the update on all your computers and replace passwords of network shares with stronger ones. Then use the MSRT to remove the worm from infected computers. Infected computers may not be able to access Windows Update and therefore the administrator may need first to download the tool using a clean computer, and then distribute it to the other machines, for example by copying it to a share, write-protecting the share, then running the tool from there. KB article 891716 provides information on how to use the MSRT in enterprise environments and you can learn more about Win32/Conficker.B and about preventive measures here.  The MSRT released today is also addressing Win32/Banload which is a family of trojan downloaders. We will post another blog discussing Win32/Banload later this month.

Happy New Year,
Cristian Craioveanu
Ziv Mador
Microsoft Malware Protection Center

January 15th, 2009: The following KB article provides more information about how to remove this malware: http://support.microsoft.com/kb/962007