Downandup/Conficker worm infects 9 million PCs

Wed Jan 21, 2009 11:33AM EST

See Comments (33)

Judging from the complaints and questions filling my inbox, Windows security looks like it's already on track for its worst year this decade. The latest attack is a worm called Downandup, Downadup, Kido!, or Conficker (all the same thing), and it primarily seems to be being delivered via infected USB drives.

How's it work? By tricking you into running the virus by modifying the way "autorun" works when you plug in a drive. Look closely at the screenshot above and you'll see two entries for "Open folder to view files." The one at the top is a phony entry that actually installs the virus on your machine... but of course it's the default selection that pops up when you plug in a drive. Once installed, the virus spreads like crazy via a separate flaw in Windows networking system (now patched, so be sure to run Windows Update if you haven't lately) and can quickly infect a whole office. F-Secure has more analysis on the clever way it tricks you into installing the malware yourself.

How bad has it gotten? Estimates range from 3.5 million infected in the first four days after it bean spreading to 9 million impacted... and gettng worse. By now I figure the numbers could top 15 or 20 million.

From an antivirus standpoint, fixing Downandup isn't easy. The worm is particularly problematic because of the tricky way it involves the user in installing the software, bypassing auto-installation safeguards, plus its sophisticated way of avoiding detection, as it morphs its code constantly (using randomized elements) to make traditional, signature-based detection almost impossible.

Your best strategy for avoiding Downandup? Turn off AutoPlay/AutoRun on your computer (with Windows XP, TweakUI is the easiest way to do it). If you do see an AutoPlay dialog box like the one above, just close it and eject the disc or thumbdrive; browsing the drive manually for individual files should keep you uninfected, but you're best off not using the drive at all. And of course, make sure your system is fully patched via Windows Update.

What if you already have Downandup infecting your machine? Try your standard antivirus utility as a fix. If that doesn't work, F-Secure has a removal tool that should get rid of it. Good luck out there.

Comments on Downandup/Conficker worm infects 9 million PCs

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 1 Posted by petejd2003 on Thu Sep 3, 2009 8:07PM EDT Report Abuse

    Install one of the free versions of Linux. Problem solved.

  • 2 Posted by heatlesssun on Thu Sep 3, 2009 4:17PM EDT Report Abuse

    So a user can migrate to Linux, all of their and data and that's a breeze and they can't take a second and look and not install an app on a USB drive they never probably saw before? Yeah, right. Do your self a real favor just follow these instructions if you're worried: http://www.us-cert.gov/cas/techalerts/TA09-020A.html There, the problem was REALLY solved!

  • 4 Posted by onel810 on Thu Sep 3, 2009 7:45PM EDT Report Abuse

    why is dat i can't open any anti-virus site and windows website,, maybe i'm infected by this worm.. and i can't open the links posted here in this review..

  • 5 Posted by mr_whelan on Thu Sep 3, 2009 7:28PM EDT Report Abuse

    per CERT: Technical Cyber Security Alert TA09-020A "Microsoft's guidelines for disabling AutoRun are not fully effective". It's likely TweakUI's fix is incomplete, and could be circumvented by this or another infection. Instead, follow this simple procedure: http://www.kb.cert.org/vuls/id/889747

  • 6 Posted by arudner@rogers.com on Thu Sep 3, 2009 2:58PM EDT Report Abuse

    OK, so there's a worm. The article doesn't describe the symptoms of infection. Or how you can check if your computer is infected, if your anti-virus software doesn't catch it. Not very helpful!

  • 8 Posted by zero_defekz on Thu Sep 3, 2009 11:00PM EDT Report Abuse

    @ i.aredavide: Yup. Because we all know its worthwhile to rob a bank that holds 10,000 in the vault, compared to robbing the federal reserve. (The marketshare comparison of Apple/Windows)

  • 9 Posted by elmosbizz on Thu Sep 3, 2009 3:53PM EDT Report Abuse

    I installed and ran the mentioned removal tool above. Though, it scanned and said that no viruses could be detected or what not, so now I'm starting to think that my problem ISN'T this worm... but, I can't find any other explanation. The connection I used between my probem and this blog was the fact that my E drive doesn't work - out of nowhere. Am I looking in the totally wrong place?

  • 10 Posted by mhansen94 on Thu Sep 3, 2009 7:17PM EDT Report Abuse

    Perhaps it goes without saying, but no one has happened to mention that computer viruses such as this one are not natural occurrences, but some person intentionally created them. What possible reason could a person have for writing such software, except that they are evil, and enjoy causing havoc to millions of innocent people? (I realize that some viruses are written for the purpose of stealing identities in order to steal your money, which is pure greed and disregard for other people's property, but this virus sounds like its intent is just to wreck stuff.) I hope the FBI or somebody is trying to trace the origin of this virus and catch the guy who wrote it. And I hope they throw him in jail for the rest of his life. If ever waterboarding should be allowed, it should be done on the people who write viruses.

More Posts: First Prev 1 2 3 Next Last

Post a Comment

Sign In to Post a Comment