Malware Win32/Conficker.B W32.Downadup.B

So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware.

You can find write-ups from various AV companies at the following URL’s

So the write-up’s are all pretty good some have details that the others don’t etc.  We see a range of cases it seems from customers missing the patch to those who are completely patched but are still seeing this piece of malware in their environment causing issues.  The interesting thing about this piece of malware is that it is really singling out organizations that have not done a good job with their security policies/procedures.  The MMPC group made a post about this piece of malware where they linked Jesper’s password paper from 2005!!! This guidance and similar guidance has been out for 3+ years now and we still have customers that aren’t following it.  I sometimes wonder if we should just push out a “critical update” that applies to all DC’s and updates their Default Domain and Default Domain Controller Policies for them to something more acceptable 🙂 of course we would probable pull a lot of flack for that 🙂 . /Rant Off

So things you should look at doing if you are hit with this:

  1. Disable Account Lockouts: You are already jacked why are you making it worse by leaving the account lockout policy in place?

  2. If you are not patched (especially with MS08-067) do so immediately.

  3. Find a machine that you know is infected and see if your AV will clean it up with the latest definitions/client.  If it is not cleaning it then open a case with your AV vendor as well they are going to be the ones to update definitions to properly detect/remove the malware in the environment (believe me you want this instead of manually running around cleaning off systems)

  4. Enable Password Complexity: Like the Account Lockouts this is in your Default Domain Policy if you don’t have it enabled odds are you have 10+% of your population using one of those weak passwords on the list from those write-ups on the malware, and if you have users with those  passwords you are still going to have issues with malware spreading.  Oh maybe you should get someone working on that org-wide email explaining to your users the new password policy like X characters and how they need 3/4 special characters/Upper/lower/numbers.  You probably also want to look into a script/tools to expire accounts (selectively so you don’t whack things like service accounts you aren’t ready to change) Check out Joeware’s oldcmp and expire utilities at you can dump selectively based on OU targeting to get lists of users’ password age and then pass the lists to the expire utility to force password changes across groups of users.  Or if you’re a masochist you can just expire them all and deal with the consequences.

  5. Password Complexity on local accounts: Is the password on your local Administrator accounts something on that list from the writeups? If so you better get it changed.

  6. Share Permissions: This one is more complex to explain.  Basically for any network shares that you know multiple users map drives to you need to have the permissions locked down in this fashion.. root of the share Remove Write/Modify access to Everyone.. Allow them full control to the contents of subfolders in the shares.  The way the malware works is if you have say a N: drive mapped to \\FILE01\Data it will basically drop malware.exe in N: and an autorun.inf in the same N: pointing to malware.exe.  The next user that is mapped to the same N: drive double clicks on drive icon and runs malware.exe (ok yes this can be mitigated by autorun settings but do you know those are set on your clients maybe a good idea for a GPO setting those as well 🙂 )

  7. Stop logging into infected machines with Domain Admins:  One characteristic of the malware is that it can use impersonation and can be in the Run key so that it runs under the logged on user’s context.  So when you log in on that infected system with your DA account guess what.. you just helped spread without it needing to force passwords use a vulnerability etc because hey its all allowed under your privileges.

I may add more to this possibly as it’s getting late my time and I’m sure it’s going to be another long day tomorrow.  Hopefully this helps someone.

Comments (17)

  1. Kurt Falde says:

    Well as for FCS we were actually one of if not the first AV company to have any detection whatsoever for the .B variant of this.  In some senses our product is very 1.0ish at times 🙂 especially in regards to areas like working hand in hand with a firewall etc.  During the last two weeks though I have worked multiple cases that included at least 4+ other major AV companies and in every case the ACL’s on the files combined with the rootkit capabilities of this piece of malware were evading detection/removal.  During the end of this past week however the AV companies appear to be finally catching up.

  2. Kurt Falde says:

    No specific removal tools.  Trend Micro does have a sysclean utility which is like a command line scanner you can use with their definitions which seems to be working ok in some sites.

  3. tower defense says:

    I do update my PC on my network and also update the antiviral scanner, but alway show me theres someone with the virus, dos anyone hava a clue to contain or avoid more copies of ?

  4. nimdadotenc says:

    Great article!

    Lots of problem trying to ID the file that’s causing the behavior (if your AV isnt picking it up), since this is being repacked and redistributed to avoid detection.

    In most case it creates a scheduled task pointing right to the offending file. So check C:windowstask and see what file its pointing, and get that file into your AV vendor for new dat files.

    Thank again

  5. Phoenix Mudrij says:

    We have this virus in our web. Do you know any specific removal tool for this virus? Because our AV provider doesn’t have any treat for this virus.

  6. Jim Baine says:

    It’s a pity that MSFCS like other major end point security vendors doesn’t protect against behavoural targeting threats such as the B worm…. maybe folks using MSFCS would then not be making the many calls to MS?

  7. Jim Baine says:

    Great article though! I like your "context" and frankness….

  8. Jim Baine says:

    The virus is actually a rootkit, therefore use GME as part of your tool kit to detect and then use uptodate virus defs to remove or follow the manual instructions on your AV/malware product vendors website….

  9. raymundo says:

    Anyone know how to contain the bloody virus??, I do update my PC on my network and also update the antiviral scanner, but alway show me theres someone with the virus, dos anyone hava a clue to contain or avoid more copies of ??


  10. Jim Baine says:

    Symantec has released a cleanup utility that will remove the virus from infected computers.

    The Removal Tool does the following:

    ·         Terminates the associated processes

    ·         Deletes the associated files

    ·         Deletes the registry values added by the threat

    ·         Removes the scheduled jobs created by the worm

    ·         Re-enable Windows Update

    This fix will work on any computer, you don’t need to have SAV installed for it to work.

    Also, the fix has been released with command line switches… we can run silently with no reboot.   So we should be able to setup altiris jobs to run the fix automatically.

    Please see this link for more information and a download link:

  11. RBailey says:

    Have found perhaps a variant today that nothing seems to be able to clean up.  Some AV software is cleaning up the service that gets created, but is not repairing service.exe

    nastly little bug.

  12. Extremesecurity says:

    Did Downadup/conficker attack your network? I’ve created a batch file for system administrators to clean/patch/cure infected systems in their networks.

    check it out here:

  13. Igoy says:

    I found that the B Variant keeps coming back even after cleanup using Symantec FixTool. I had to to erase all of the service it registered on the Registry manually.

  14. tesseeb says:

    You MUST disable System Restore on your PCs.  Until we did that with a group policy, it just kept coming back.  We would run the clean up tools and frequent full system scans that came back clean and it would reappear hours later.  And set your AV scan defaults to delete as first attempt/quarantine second.

  15. Manic says:

    What passwords does it attempt? Is there a pre-defined list?

  16. Manic says:

    What passwords does it attempt? Is there a pre-defined list?

  17. majk says:

    I used the remover from and it worked great