Windows worm spreads rapid infection but may be a dud

19 Jan 2009

Businesses worldwide are under attack from a highly infectious computer worm that has infected almost 9 million PCs, says antivirus company F-Secure.

That number has more than tripled over the last four days alone, says F-Secure, leaping from 2.4 million to 8.9 million infected PCs.

Once a machine is infected, the worm can download and install additional malware from attacker-controlled web sites, according to the company. Since that could mean anything from a password stealer to remote control software, a Conflicker-infected PC is essentially under the complete control of the attackers.

Downadup is a malicious worm that uses computer or network resources to make complete copies of itself, and may also include code or other malware that damages both a computer and network. The worm also goes by the names "Kido" and "Conflicker."

Once executed, Downadup disables a number of system services, including Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting. The worm then connects to a malicious server, where it downloads additional malware to install on the infected computer.

But the virus doesn't appear to be working as its designers intended. F-Secure's chief security adviser, Patrik Runald, said the virus's coding suggests a type of bug that alerts computer users to bogus infections on their machines and offers to help by selling them antivirus software.

Instead, the virus is simply spreading to little effect, though it may still pose a threat to infected computers, though F-Secure's chief research officer Nikko Hypponen has been quoted as saying, "The gang behind this worm haven't used it yet," reports quoted saying. "But they could do anything they like with any of these machines at any time."

Microsoft issued a security update last week to deal with the so-called "Downadup" or "Conficker" virus, which appears to be a new version of a bug that popped up in October.

"Over the last couple of weeks, a new variant of this worm has been affecting customers," it acknowledged in a blog post. Microsoft said the virus is spreading by gaining access to one computer and then guessing at passwords of other users in the same network, "If the password is weak, it may succeed."

Most computers with Windows will automatically download Microsoft's security update, but Hypponen said the virus disables updates on infected machines.

While the origin of the virus is a mystery, F-Secure's best guess is it came from Ukraine. Hypponen said it is coded to avoid computers there, which may indicate whoever wrote the virus was trying to avoid drawing attention from local authorities.

Protection against the worm
The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm's attempts to connect to Web sites.

And finally, you can disable Autorun so that a PC won't suffer automatic attack from an infected USB drive or other removable media when it's connected.