What Happens on April 1, 2009?
Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the "peer-to-peer" updating channel in the latest version of Conficker.
On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide. (source)
Once this virus infects a computer it does a number of things including:
- Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
- Deletes the user's Restore Points.
- Registers a services called Netsvcs
- Creates scheduled tasks that execute all of the DLL files.
- Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
- Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
- Connects to external sites to download additional files.
- Kido
- Downadup
Firstly you may download Microsoft Windows Malicious Software Removal Tool
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.
The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm's attempts to connect to Web sites.
And finally, you can disable Autorun so that a PC won't suffer automatic attack from an infected USB drive or other removable media when it's connected. The Internet Storm Center links to one method for doing so at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html, but the instructions involve changing the Windows registry and should only be attempted by adminstrators or tech experts. Comments under those instructions also list other potential methods for disabling autorun.