A new variant of the Conficker or sometimes referred to as Downadup, worm is about to start spreading like wildfire on April 1st. Win32/Conficker.C is a worm capable of blocking security-related websites, terminating system security services, and downloading component files using time-based generated URLs.
When the worm is executed, it drops a copy of itself using a random filename in the System directory on your system. It can also sometimes drop a copy in other locations under Program Files.
It also automatically runs at startup, blocks access to any security-related websites, registers itself as a service, disables any antivirus/security services, and more. It’s a nasty one to get rid of, but the payload that it carries is not that hurtful in terms of damage.
April 1 2009
On April 1st, the worm will attempt to access pre-computed domain names to either download an updated copy of itself or download other malware. This is what you have to watch out for with these types of worms because “other malware” could be anything and it could wreak havoc on your system.
Security experts are urging users to update their anti-virus before April 1st and to make sure that their systems are clean. Below are a few ways to determine if you have the worm:
Look For Disabled Services
Below are some services the worm disables, if any of these are disabled that you did not disable yourself – you could be infected:
* wscsvc – Security Center
* WinDefend Windows Defender (available in Vista)
* wuauserv – Automatic Updates
* BITS – Background Intelligent Transfer Service
* ERSvc – Error Reporting Service
* WerSvc – Windows Error Reporting Service (available in Vista)
Removed Restore Points
The worm removes all system restore points. If you have no system restore points, you may be infected.
Removal of Windows Security Center
If the following registry entry is missing, you could be infected:
We highly recommend that you take a look at our article on protecting yourself from the elements as a way to protect your system from malware, spyware, and more.