Conficker Alert

Malicious computer software known as Conficker or Downadup has infected millions of computers worldwide and is gaining momentum.  Some of the infections have occurred at The University of Arizona.  Nearly all Microsoft Windows-powered computers can be compromised by Conficker.  Computer security researchers expect that Conficker will enable unauthorized people to gain control of infected computers and the data on them.

Conficker spreads in several ways.  If an infected computer is connected to a network, Conficker will immediately scan the network looking for a particular vulnerability and use it to gain access to another Windows computer.  It can also gain access to a networked computer by guessing the password.  Lastly, it can copy itself to any removable USB-based device, such as a flash drive or camera.  It is then executed when inserted in another computer that has been configured to automatically play USB-based devices.  This flexibility means that more than one defensive measure is needed to minimize the risk of infection.

Windows users should take the following steps (after checking with local technical support for any UA-owned computer):

• Update the operating system regularly to insure the MS08-067 patch and any future critical security patches are installed, and reboot the computer as required.
• Use strong computer passwords.
• Run antivirus software.  Free Sophos software is available for students, faculty and staff (see link below).
• Update the antivirus software regularly.
• Configure the antivirus for on-access scanning of all files.  (This is the Sophos default configuration.)

The following steps are advisable but not crucial:

• Turn on Windows Firewall (turned on by default in XP Service Pack 2 update and in Vista).
• Disable Autoplay and Autorun (with caution).
• Disable file sharing (with caution).

These measures will help whether or not your computer or USB drive is infected.  However, if your antivirus software detects Conficker but does not remove it, you will need to use Microsoft's Malicious Software Removal Tool. 

See below for links for the Malicious Software Removal Tool, general information on Conficker, and instructions for each of the defensive measures. 

General Information

• Microsoft - Virus Alert About the Win32/Conficker.B Worm
• Microsoft - Centralized Information About the Conficker Worm
• CNN - Downadup Virus Exposes Millions of PCs to Hijack
• Microsoft - graphic representation of Conficker
• SANS - Third Party Information on Conficker

Operating System Update

• Auto Updates  (select Windows XP or Vista) - turn Auto Updates on and configure them to automatically download and install recommended updates
• Microsoft - Vulnerability in Server Service Could Allow Remote Code Execution

Antivirus Software Installation, Configuration and Update

• Sophos Antivirus Software - free to all UA students, faculty and staff for work and personal home use
• UITS - Guide to Installing and Configuring Sophos Anti-Virus

Windows Firewall

• Microsoft - Windows Firewall - Turned on by default in XP Service Pack 2 update and in Vista  

Disabling Autoplay and Autorun

• 95, 98 Standard & Millenium - Microsoft - How to Disable the Feature That Allows CD-ROMs and Audio CDs to Run Automatically
• XP & Vista:  Microsoft - NoDriveTypeAutoRun and Microsoft - How to Correct "Disable Autorun Registry Key" Enforcement in Windows - For XP and Vista, this requires editing the registry key, the complete instructions for which are included in the two resources; PERFORM THIS STEP AT YOUR OWN RISK AND CONSULT WITH IT SUPPORT STAFF FIRST
• Alternative instructions for XP & Vista from the University of Kansas - PERFORM THIS STEP AT YOUR OWN RISK AND CONSULT WITH IT SUPPORT STAFF FIRST

Disabling File Sharing

• Microsoft - Disable File and Printer Sharing for Additional Security

Removal

• Microsoft - Virus Alert About the Win32/Conficker.B Worm
• Microsoft - Malicious Software Removal Tool
• Sophos - Removing W32/Confick and Mal/Confick