The Downadup, or Conficker, infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability, but also includes the ability to infect other computers via network shares and removable media. Not since the Sasser and MSBlaster worms have we seen such a widespread infection as we are seeing with the Downadup worm. In fact, according to anti-virus vendor, F-Secure, the Downadup worm has infected over 8.9 million infected computers. Microsoft has addressed the problem by releasing a patch to fix the Windows vulnerability, but there are still many computers that do not have this patch installed, and thus the worm has been able to propagate throughout the world.
When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder as a random named DLL file. If it has problems copying itself to the System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders. It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer. The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.
Once the infection is running, you will find that you are no longer able to access a variety of sites such as Microsoft.com and many anti-virus vendors. It does this so that you cannot download removal tools or update your anti-virus programs. It will then perform the following actions in no specific order:
- Stop and start System Restore in order to remove all your current System
Restore points so that you cannot roll back to a previous date where your
computer was working properly.
- Check for Internet connectivity by attempting to connect to one of the following
sites:
- aol.com
- cnn.com
- ebay.com
- msn.com
- myspace.com
- Attempts to determine the infection computer's IP address by visiting one
of the following sites:
- http://www.getmyip.org
- http://getmyip.co.uk
- http://checkip.dyndns.org
- http://www.whatismyip.com/
- Download other files to be used as necessary.
- Scan the infected computer's network for vulnerable computers and try to infect them.
Some symptoms that may hint that you are infected with this malware are as follows:
- Anti-malware software stating you are infected with infections using the
following names:
- Net-Worm.Win32.Kido
- W32/Conficker.worm.gen
- Worm.Conficker
- W32.Downadup
- W32/Downadup.AL
- W32/Confick-A
- Win32/Conficker.A
- Mal/Conficker
- Worm:Win32/Conficker.B
- Win32.Worm.Downadup.Gen
- Automatic updates no longer working.
- Anti-virus software is no longer able to update itself.
- Unable to access a variety of security sites, such as anti-virus software
companies.
- Random svchost.exe errors.
Using the following guide we will walk you through removing this worm from your
computer and securing your computer so it does not get infected again with Downadup
again. Due to the fact that this worm stops us from accessing the sites we need
to download the removal tools from, you will need to be able to access another
computer that is clean and have the ability to copy files from that computer
to the infected one. If at all possible, I suggest you copy the files using
a burnable DVD or CD in order to prevent your computer USB drives from possibly
becoming infected.
This guide will walk you through removing the Conficker and Downadup worms for free. If you would like to read more information about this infection, we have provided some links below.
Reference Links:
Downadup and Conficker Removal Options
Self Help Guide
If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
- Print out these instructions as we will need to close every window that
is open later in the fix.
- Due to the fact that Downadup and Conficker do not allow you to connect
to Microsoft and a variety of security sites you must first download the Windows
patch and the removal tool from another computer and transfer the file to
your infected PC. On a clean computer, download BitDefender's Anti-Downadup
tool from the following location and save the file to your desktop. The current
name of the file is bd_rem_tool.zip.
BitDefender's Conficker Removal Tool
- Next visit the following link and download the KB958644/MS08-067 security
patch for your particular Windows operating system:
MS08-067 Patch Download Link
Look through the list and click on the link that corresponds to the version of Windows that is running on the infected machine. Then download the file from the page that opens and save it your desktop. - Now copy bd_rem_tool.zip and the Windows patch file to a floppy, CD, or
USB drive so we can copy it to the infected PC.
- Once the files are stored on a removable device, copy it back onto your
infected PC's Windows desktop.
- Once the Windows patch and bd_rem_tool.zip file are on your infected computer's
desktop, you will need to first install the Windows patch. Simply double-click
on the file that you downloaded from Microsoft's web site and follow the prompts
to install the patch. This will make it so your computer does not become reinfected
again after we clean the current infection. If the patch is already installed,
the Microsoft patch will detect that and not reinstall it.
- Now we need to extract the files from the bd_rem_tool.zip. You can do this
by right-clicking on the bd_rem_tool.zip and then selecting the Extract
All... menu option as shown in the image below.
- At the next screen, keep clicking the Next button until
you see a screen similar to the one below.
Now that the file has finished being extracted, click on the Finish button. - A folder will open containing two files. These files are named bd_rem_tool_console.exe
and bd_rem_tool_gui.exe. Please double-click on the bd_rem_tool_gui.exe
file to start the program. When you run this program, Windows may display
a warning similar to the image shown below.
If you receive this warning, please click on the Run button to continue starting Anti-Downadup on your computer. If you did not receive this warning, then Anti-Downadup should have started and you can proceed to step 9. - You will now see a screen prompting you to start the scan or close the program.
Please click on the Start button to have the program scan your computer and remove any Downadup and Conficker infections on your computer. - Anti-Downadup will now start to scan your computer and determine if you
are infected as shown below.
This process can take 10 minutes, so please be patient. When it is done, if your computer is clean it will tell you so and you can close the program. Otherwise, continue with the rest of the steps. - When Anti-Downadup has finished scanning your computer it will prompt you
to reboot your computer in order to finish the cleaning process.
Press Yes button to allow the infected computer to be rebooted. If you do not reboot your computer, you will be left with a blue screen as Explorer was terminated during the cleaning process. - When the computer has finished rebooting you should no longer have the Conficker or Downadup infections on your computer. To see a log of what was deleted you can open the C:\Win32.Worm.Downladup.Gen.log file in Notepad.
Though the infection is now removed from your computer, we need to make sure you do not get infected again. As you should have already installed the Windows patch, you will not be able to be infected again via the MS08-067 exploit . This infection, though, does infect you through network shares and removable devices as well. So please examine your computer for any network shares and disable any that are not necessary to have open.
The next step is to disable Autorun on your computer. Autorun is a feature that allows executables to automatically run when you insert removable media such as a CD/DVD, Flash Drive, or other USB device. Having Autorun enabled is a security risk due to a fact that a virus can spread through the use of removable media. For example, if you had used your flash drive on a computer infected with a removable media worm, then your flash drive will become infected. Then when you use that infected flash drive on a computer that has Autorun enabled, the infection will automatically run and infect the new computer. As you can see, disabling Autorun is an important step to security your computer. Please note that if you disable this feature, then any time you insert a removable media, including a CD or DVD, they will not automatically open or start. Instead you will need to open My Computer and right click on the specific drive and select Explore or Play in order to access the contents of the media. If you would prefer security over convenience then please download the following file and save it on your desktop:
Once the file is downloaded, simply double-click on it. When Windows asks if
you would like to merge the data, click on the Yes button.
Now that Autorun is disabled, reboot your computer to make the setting effective.
Congratulations! Your computer should now be free of the Downadup and Conficker program and you will no longer be vulnerable to infection from this malware.
