Win32/Conficker.A
What is Win32/Conficker.A?
Win32/Conficker.A is a worm that exploits the MS08-067 or the Microsoft server service vulnerabilityin order to propagate on computers. Win32/Conficker.A may also download and execute various files from a remote server when it performs its other payloads.
| Type | Worm |
| Sub-Type | Downloader |
| Aliases | Win32/Conficker, Worm:Win32/Conficker.A, W32.Downadup (Symantec) |
| OS Affected | Windows |
| Detected By | Computer Associates |
What Win32/Conficker.A Does?
It will modify Windows Registry and add the following entry:
- HKLM\SYSTEM\CurrentControlSet\Services\<random filename>\Parameters\ServiceDll = “%System%\<random filename>”
The threat will connect to internet and drop the following malicious files:
- http://trafficconverter.biz/<censored>/loadadv.exe
- http://www.maxmind.com/<censored>/GeoIP.dat.gz
It will create a service on computer:
Service name: netsvcs
Path to executable: %System%\svchost.exe -k netsvcs
How to Remove Win32/Conficker.A Manually
1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode
2. Remove Registry entry/entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entry/entries mentioned above and delete if necessary
3. Delete malicious file/files that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the file/files.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.
Automatic Removal of Win32/Conficker.A
1. Download and run the Downadup Removal Tool here.
