What exactly is conficker virus?

It's a virus that comes into PCs and Macs that disables your security so it can infect everything. Then it takes instructions from online on april 1st... we're not sure what it is. If you have like an antivirus like avast you're fine.

Dear Friend, if you are noticing the following symptoms in your PC The worst part is that you might not even notice your computer has been infected. But if you see any of the following symptoms, it’s time to take action: •Automatic updates have been turned off without your permission. •The Internet seems to be slow; the network takes a long time to open websites. •You cannot access anti-virus or anti-spam websites. clean your system immediately • Step 1: Visit http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx • Step 2: Check out the list of operating systems and go to the download centre relevant to your OS. • Step 3: Click on the file and it will attempt to update the Windows protection on your computer. Once updated, the computer will prompt you that the patch has been installed. http://www.enigmasoftware.com/ download free anti virus Cfremover from this link and do the scan now good luck

Conficker, also known as Down up, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system.The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques. Although the origin of the name "conficker" is not known with certainty, Internet specialists and others have speculated that it is a German portmanteau fusing the term "configure" with "ficken", the German word for "****." Microsoft analyst Joshua Phillips describes "conficker" as a rearrangement of portions of the domain name 'trafficconverter.biz EFFECT: Effect Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly generated name. Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[12] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[13] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service. Symptoms Account lockout policies being reset automatically. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled. Domain controllers responding slowly to client requests. Congestion on local area networks. Web sites related to antivirus software becoming inaccessible.[14] Automated detection The worm makes several in-memory patches to NetBIOS-related DLLs in order to open re-infection backdoors. On 27 March 2009 Dan Kaminsky, Tillmann Werner and Felix Leder discovered that this gives infected hosts a detectable signature when scanned remotely.[15] Signature updates for a number of network scanning applications are now available including NMap and Nessus . AUTHOR: GAGANDEEP SETHI

It's a worm , which spreads via Svchost.exe in windows based operating system . To be safe and secure against this worm , update your antivirus software , and scan your computer , as all antivirus companies has released the updates for this worm After you need to install a Microsoft patch for more information visit http://www.iyogi.ca

Businesses worldwide are under attack from a highly infectious computer worm that has infected almost 9 million PCs, according to antivirus company F-Secure. That number has more than tripled over the last four days alone, says F-Secure, leaping from 2.4 million to 8.9 million infected PCs. Once a machine is infected, the worm can download and install additional malware from attacker-controlled Web sites, according to the company. Since that could mean anything from a password stealer to remote control software, a Conflicker-infected PC is essentially under the complete control of the attackers. According to the Internet Storm Center, which tracks virus infections and Internet attacks, Conficker can spread in three ways. First, it attacks a vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over. Second, Conficker can attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares. And third, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC. Conficker and other worms are typically of most concern to businesses that don't regularly update the desktops and servers in their networks. Once one computer in a network is infected, it often has ready access to other vulnerable computers in that network and can spread rapidly. Home computers, on the other hand, are usually protected by a firewall and are less at risk. However, a home network can suffer as well. For example, a laptop might pick up the worm from a company network and launch attacks at home. The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm's attempts to connect to Web sites. And finally, you can disable Autorun so that a PC won't suffer automatic attack from an infected USB drive or other removable media when it's connected. The Internet Storm Center links to one method for doing so at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html, but the instructions involve changing the Windows registry and should only be attempted by adminstrators or tech experts. Comments under those instructions also list other potential methods for disabling autorun.

General Methods of propagation: • Local network • Mapped network drives Aliases: • Symantec: W32.Downadup.B • Kaspersky: Net-Worm.Win32.Kido.fw • F-Secure: Worm:W32/Downadup.gen!A • Sophos: Mal/Conficker-A • Panda: Trj/Downloader.MDW • Grisoft: I-Worm/Generic.CJY • Eset: a variant of Win32/Conficker.AE worm • Bitdefender: Win32.Worm.Downadup.Gen Similar detection: • Worm/Kido Platforms / OS: • Windows 95 • Windows 98 • Windows 98 SE • Windows NT • Windows ME • Windows 2000 • Windows XP • Windows 2003 Side effects: • Registry modification • Makes use of software vulnerability • Third party control Files It copies itself to the following locations: • %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx • %ProgramFiles%\Internet Explorer\%random character string%.dll • %ProgramFiles%\Movie Maker\%random character string%.dll • %System%\%random character string%.dll • %Temp%\%random character string%.dll • %ALLUSERSPROFILE%\Application Data\%random character string%.dll The following file is created: – %all shared folders%\autorun.inf This is a non malicious text file with the following content: • %random comments% shellexecute rundll32.exe %paths and filenames of malware copies%,%random character string% %random comments% Registry The following registry keys are added in order to load the service after reboot: – HKLM\SYSTEM\CurrentControlSet\Services\%… words%\ Parameters\ • ServiceDll" = "%paths and filenames of malware copies%" – HKLM\SYSTEM\CurrentControlSet\Services\%… words%\ • "ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs "Type" = "4" "Start" = "4" "ErrorControl" = "4" The following registry keys are changed: – [HKLM\SYSTEM\CurrentControlSet\Services\… Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\… Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\… Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\… Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – HKCU\Software\Microsoft\Windows\CurrentV… New value: • "Hidden"=dword:00000002 "ShowCompColor"=dword:00000001 "HideFileExt"=dword:00000000 "DontPrettyPath"=dword:00000000 "ShowInfoTip"=dword:00000001 "HideIcons"=dword:00000000 "MapNetDrvBtn"=dword:00000000 "WebView"=dword:00000000 "Filter"=dword:00000000 "SuperHidden"=dword:00000000 "SeparateProcess"=dword:00000000 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below. IP address generation: It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses. Infection process: It makes the compromised machine download the malware from the infected source computer. The downloaded file is stored on the compromised machine as: .\RECYCLER\S-%number%\%random character string%.vmx Hosts – Access to the following domains is effectively blocked: • ahnlab; arcabit; avast; avg.; avira; avp.; bit9.; ca.; castlecops; centralcommand; cert.; clamav; comodo; computerassociates; cpsecure; defender; drweb; emsisoft; esafe; eset; etrust; ewido; f-prot; f-secure; fortinet; gdata; grisoft; hacksoft; hauri; ikarus; jotti; k7computing; kaspersky; malware; mcafee; microsoft; nai.; networkassociates; nod32; norman; norton; panda; pctools; prevx; quickheal; rising; rootkit; sans.; securecomputing; sophos; spamhaus; spyware; sunbelt; symantec; threatexpert; trendmicro; vet.; virus; wilderssecurity; windowsupdate Miscellaneous Internet connection: In order to check for its internet connection the following DNS servers are contacted: • http://www.getmyip.org • http://www.whatsmyipaddress.com • http://getmyip.co.uk • http://checkip.dyndns.org Checks for an internet connection by contacting the following web sites: • baidu.com; google.com; yahoo.com; msn.com; ask.com; w3.org; aol.com; cnn.com; ebay.com; msn.com; myspace.com File patching: In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity. Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user. Method used: