W32/Conficker worm has exploited most of the malware entry points available in the Operating System and exploited to its benefit. Once the computer infected by the worm enters, it alters all the pre-requisite registry location to spread through Network, removable drives (USB sticks). The Worm can enter user's system in multiple ways, it may be through network with Admin$ share (brute force dictionary attack), systems with unsecured shares, systems not patched with vulnerability or USB drive etc. Due to this even though user follows the safe computing practice, system may get infected.

Upon execution the worm copies itself with the random name with .dll extension in the following locations:

Windows System
Programs Files\Internet Explorer
Programs Files\Movie Maker
All Users Application Data
Windows Temp

and with the random name with .tmp extension in the following locations:

Windows System
Windows Temp

The worm disables the following services:

Windows Automatic Update Service (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Security Center
Windows Defender
Windows Error Reporting

It also drops following files in the removable and mapped drives:

\RECYCLER\
\autorun.inf

The worm attaches itself to the following Windows processes:

svchost.exe
explorer.exe
services.exe

 Infection symptoms:

Access to Admin shares are denied
Scheduled tasks are created
Acess to security related websites is denied
Access to Windows Updates site is denied
Network response will become considerably slow
Domain controllers respond slowly to client request

The worm modifies registry at the following locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

 Payload

The worm attempts to create a HTTP Server and open a random port between 1024 and 10000 in the victim computer. On successful creation of the HTTP Server, the worm downloads the copy of itself to the victim computer. The worm also resets the Restore point. Most of the Variants of the Conficker worm will trigger the payload on April 1. Though Security industries are conducting lot of research on the payload, the exact payload and the damage it can create on April 1st is still a mystery.

 Removal of the worm

Patch the vulnerability in your machine to avoid infection. Download and Install the patch released by Microsoft (MS08-067) for this worm.
Registered users can update their virus signatures. Others can install Protector Plus from the following link and scan your computer.

Download the removal tool for W32/Conficker from

http://www.protectorplus.com/download/cleanconficker.htm
 Other names of W32/Conficker Worm:

This Worm is also known as Win32/Downadup, W32/Kido, W32/Conflicker and W32/Pakes.

About Protector Plus Anti virus Software Packages: