About Us | Advertise | RSS | Mon, Jan 27 • 07:07

  • Corydon Instant Print

Worm infects millions of Windows computers

February 11, 2009
The buzz in the tech world for the past few weeks has been around a Windows worm most commonly known as "Conficker" or "Downadup" that was first identified in November but has yet to be quelled. Estimates of infected computers worldwide range from 10 million to 20 million with a million computers being infected every few days.

For those not up on computer jargon, a computer worm is a self-replicating computer program that targets networks of computers to propagate itself. Unlike a computer virus, a worm does not need to attach itself to an existing program. Worms usually take advantage of holes or exploits found in operating systems. In Conficker's case, the operating systems it targets are Windows 2000, Windows 2003 and Windows XP.

Before panicking, know that persons who have been updating their Windows system regularly since October are probably not at much risk as those who haven't been updating. Back in October, Microsoft discovered a vulnerability in part of the Windows server systems mentioned above known as MS08-067. The company quickly issued an emergency patch through Windows Update. Users who didn't get the memo or didn't hear about it through the media should be OK, as the patch would have been automatically installed if their machines are set to Automatic Windows Update.

Unfortunately, many users failed to protect themselves by installing the patch and when the Conficker worm, designed specifically to exploit this MS08-067 vulnerability, first appeared a month later, on Nov. 21, they became infected.

The original version of the worm — there are now two versions — was thought to be created by hackers in Ukraine because it avoided infecting computers with a Ukrainian keyboard layout. However, the second, more-invasive version of the worm that appeared on Dec. 29 infects indiscriminately through multiple propagation methods, not just the MS08-067 exploit.

The second version, "ConfickerB" as it's called, can also be transferred through USB devices such as flash drives, MP3 players and digital cameras. The worm does this by hiding in the USB device when it is connected to an infected computer and then providing a phony auto-run prompt when it's plugged into a healthy computer.

The typical Windows auto-run prompt brings up a box that asks how the user wants to run the device. If it's a flash drive, the user will be asked if they want to view the files on it through Windows Explorer. The worm mimics this command by showing an open folder and the command — "Open folder to view files" — at the top of the prompt box. However, beneath this it states "publisher not specified." This should be the first clue that something's wrong if this situation happens. Beneath this phony prompt, the user will see the real Windows Explorer prompt. Viewing the files in this way will not infect a machine. If a person is tricked by this prompt and clicks to run the worm, it will infect their system even if they have the patch.

If a machine happens to be infected, a user may experience no symptoms or quite a few. Possible symptoms include the disabling of automatic updates, Windows Defender (Window's spyware and firewall tool) and error reporting services. It also can deny access to Internet security Web sites that contain trigger words like "virus," "spyware," "malware" and "Microsoft." The worm basically makes it difficult to remove it from the computer once infected.

Since U.S. infections account for 1 percent of infections worldwide, it may be a bit safer living in the United States, but that doesn't mean the computers here are invulnerable. With the worm continuing to grow, it's only a matter of time before more U.S. machines become infected, if users do not take the following steps to protect themselves:

First, set the Windows Update to update automatically. Next, make sure the computer has a working anti-virus program and a working firewall. Windows Defender is available free from the Microsoft Web site and functions as a good firewall and a spyware removal and system scan tool. It can be set to periodically scan the system as a scheduled task. As for virus programs, Avast! and AVG are considered by top tech sites like CNET to be the best free anti-virus programs available online.

If a computer happens to already be infected, there are ways to remove it. Panda Security Active Scan has said its site is still reachable by infected machines and that its program can remove the worm. If a machine is not experiencing any symptoms, a user may not know that it has been infected. The easiest way to check is to go under "accessories" on the Windows menu. Then, click "system tools" and then click "scheduled tasks." If a program is running a scheduled task and the user doesn't know what it is, the computer might be infected.

Regionally speaking, David Van Laningham, who maintains the computers at the Crawford County Public Library in English, said he's not aware of anyone locally who has had problems with the worm. He also said the computers at the library are safe due to a program known as Deep Freeze. This means that if the worm, or even a virus, were to be transmitted to computers, the computers would be restored to their original state upon a reboot.

For more information on the worm and how to remove it, visit www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker or


Email Link
Schuler Bauer
Barbara Shaw
Corydon Instant Print
News links
01 - 27 - 20