FAQ: Conficker worm

The facts on the Conficker worm.

Conficker is a worm that has been spreading to computers through the internet for months, and computer security experts estimate that millions of machines are infected.

There are other worms crawling the internet, but this one has made headlines in recent weeks because the latest variant of the worm, Conficker C, which was noticed in early March, is expected to launch some sort of attack on April 1, 2009 (it will check the date on a number of internet sites, so changing the date on the computer itself isn't a safeguard).

Computer security experts don't yet know what actions computers infected with Conficker C will be asked to perform and might not know until April 1.

Conficker infects computers running various versions of Microsoft Windows, especially those that have not been patched with a security upgrade issued by Microsoft in October. Once it has its "command and control" instructions, the infected computer becomes part of a "botnet" of many infected computers that take orders from those who control them, and as such, it might gather personal information, install malicious software on the computer and attack or infect other computers.

A group of internet groups and businesses led by Microsoft has offered a $250,000 US reward for information leading to the arrest of those responsible, but in the meantime, they're also urging people to make sure they have proper Windows security updates and anti -virus software installed.

Here are some things you should know about Conficker:

Names it goes by:

  • Conficker
  • DownadUp
  • Kido

Less-common aliases:

  • Worm:Win32/Conficker.A (Microsoft) 
  • Crypt.AVL (AVG) 
  • Mal/Conficker-A (Sophos) 
  • Trojan.Win32.Pakes.lxf (F-Secure) 
  • Trojan.Win32.Pakes.lxf (Kaspersky) 
  • W32.Downadup (Symantec) 
  • Worm:Win32/Conficker.B (Microsoft) 
  • WORM_DOWNAD.A (Trend Micro)

What can it do?

The worm disables Windows Automatic Updates and the Windows Security Center.

It makes the computer part of a "botnet" of other infected computers. A botnet, or robot network, is a group of web-linked computers — sometimes called zombies — that have been commandeered, in some instances by criminals, to perpetrate all kinds of online nastiness. Typically, a "bot" is installed on a machine through a trojan, an insidious program that can find its way into an insufficiently protected computer in a variety of ways, such as when a user clicks on a link to an infected web page or e-mail message, views an infected document, or runs an infected program. Once the bot has made itself at home, it "opens the doors" of its new host computer to its master, who can instruct the machine to engage in various nefarious activities, such as sending out spam and phishing emails or launching the distributed denial of service, or DDOS, attacks.

Conficker can gather personal information, install malicious programs on the computer and send spam to other computers. 

One symptom that might indicate you are infected with the worm, according to security company Symantec, is finding that your computer is blocked from accessing the websites of most security companies.

Difference between a virus and a worm:

A virus is a small program that enters your computer inside a file that is written to alter the way a computer operates. Viruses replicate and can cause system crashes and data loss.

A worm is a type of virus that enters a computer through a weakness in the computer system and multiplies by using network flaws. Worms can replicate from system to system without the host file.

Who is vulnerable?

Windows users who haven't installed the proper Microsoft security patches and updates.

Computers that don't have up-to-date anti-virus protection.

Why the concern?

Conficker's early versions have already spread to several million computers (some estimates in March 2009 put the infection rate at around 12 million machines), and machines that had the older versions of the worm have been upgrading themselves to the Conficker-C version to protect themselves from detection and removal.

The "C" version is scheduled to come alive on April 1. At that time, copies of the malicious code on infected computers will try to generate and connect to 500 web URLs a day from a group of 50,000 across 110 domains around the world, including .ca, while trying to reach a "command and control" domain for further instructions. But nobody knows what, if anything, it will do at that point. It might use the "botnet" of computers to distribute spam or malware, or it might do nothing at all.

Who's fighting it?

A consortium of security companies and internet service providers called the "Conficker Cabal" is working to disable the worm.

Microsoft has offered a $250,000 US bounty to find the Conficker creator.

Canada's Internet Registration Authority is trying to block domains generated in Conficker code that fall in the .ca top-level domain from being used.

Compiled by Sheila Whyte, CBC News