Technology & Science

Conficker worm still a threat despite lack of April Fool's action: security firms

An internet worm that has computer and internet organizations worldwide up in arms against it had not yet revealed its next move by mid-Wednesday, but it should still be considered a threat, security firms say.

An internet worm that has computer and internet organizations worldwide up in arms against it had not yet revealed its next move by mid-Wednesday, but it should still be considered a threat, security firms say.

What to do if your computer is infected with Conficker

Conficker has a feature that prevents a user on an infected machine from accessing a security site to get a fix tool. To get around that, Symantec recommends doing the following:

  • Go to Command Prompt and type "net stop dnscache," which disables the DNS cache. 
  • You will get a message that the DNS client service is stopped.
  • You can now proceed to access the security website or download the fix tool.

Conficker C, the latest version of a worm also known as the "Downandup" worm, was scheduled to start using infected computers on April 1 to contact servers on the internet for further instructions or updates from its masters.

As of noon, computer security firms Symantec and Websense reported that there had been limited activity from the worm Wednesday.

"Conficker should still be considered a serious threat, however," said a statement from Websense. "There are millions of machines that are infected and the capability is definitely there for attackers to use the network for nefarious purposes."

Conficker's updated instructions might ask infected computers to gather personal information, install malicious programs on the computer, or attack or infect other computers.

Symantec, which makes Norton Antivirus, said it would continue to monitor for activity.

"Keep in mind that these systems could be updated on any date after April 1," the company said in its email update.

Symantec noted that Conficker C can interfere with an infected computer's ability to download security software, but the company is providing instructions as to how to get around that (See sidebar).

Websense suggested that the attackers could also be planning a new, more sophisticated variant of the worm.

At least 12 million computers around the world have already been infected since autumn, and Microsoft has announced a $250,000 US reward for information leading to the capture of the Conficker authors.

"What it's going to do from now on is definitely a mystery," Matthew McGlashan, a security analyst with the Australian Computer Emergency Response Team, told CBC News.

The latest variant of the worm, Conficker C, which was noticed in early March, is expected to launch its attack once the system date on an infected machine is on — or after — April 1, 2009.

At that time, copies of the malicious code on infected computers will try to generate and to connect to 500 web URLs a day from a group of 50,000 URLS across 110 domains around the world, including .ca, while trying to reach a "command and control" domain for further instructions.

Once it has its "command and control" instructions, the infected computer becomes part of a "botnet" of many infected computers that take orders from those who control them, and as such, it may gather personal information, install malicious programs on the computer, and attack or infect other computers.

Conficker infects computers running various versions of Microsoft Windows, especially those that have not been patched with a security upgrade issued by Microsoft in October.