Win32/Conficker

Detected by Microsoft Defender Antivirus

Aliases: TA08-297A (other) CVE-2008-4250 (other) VU827267 (other) Win32/Conficker.A (CA) Mal/Conficker-A (Sophos) Trojan.Win32.Agent.bccs (Kaspersky) W32.Downadup.B (Symantec) Trojan-Downloader.Win32.Agent.aqfw (Kaspersky) W32/Conficker.worm (McAfee) Trojan:Win32/Conficker!corrupt (Microsoft) W32.Downadup (Symantec) WORM_DOWNAD (Trend Micro) Confickr (other)

Summary

Microsoft security software detects and removes this threat.

This family of worms can disable several important Windows services and security products. They can also download files and run malicious code on your PC if you have file sharing enabled.

Conficker worms infect PCs across a network by exploiting a vulnerability in a Windows system file. This vulnerability is described and fixed in Security Bulletin MS08-067.

Some worms can also spread via removable drives and by using common passwords.

Find out ways that malware can get on your PC.

Apply the update in Security Bulletin MS08-067.
Apply the update in Microsoft Knowledgebase Article KB971029.
Change your passwords, and make them strong.

Use the following free Microsoft software to detect and remove this threat:

Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
Microsoft Safety Scanner
Microsoft Windows Malicious Software Removal Tool

You should also run a full scan. A full scan might find other, hidden malware.

Additional recovery steps

You might not be able to connect to websites related to security applications and services that can help you remove this worm.

Microsoft Help and Support have provided a detailed guide to removing a Conficker infection from an infected PC, either manually or by using the Malicious Software Removal Tool (MSRT).

Virus alert for Win32/Conficker and manual removal instructions

More information about deploying MSRT in an enterprise environment can be found here:

Deployment of MSRT in an enterprise environment

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Variant comparison

There are several variants of Conficker, summarized in the table below. Also see the individual descriptions for each variant for more information.

Variant	Spreads by...	Payload
Worm:Win32/Conficker.A Discovered date: 21 November 2008 Payload trigger date: 25 November 2008	Exploits the vulnerability outlined in Security Bulletin MS08-067	Generates 250 URLs daily that it checks for updates Resets System Restore Point
Worm:Win32/Conficker.B Discovered date: 29 December 2008 Payload trigger date: 1 January 2009	Same as .A variant, plus: Network shares with weak passwords Mapped and removable drives Uses a scheduled task to run copies of the worm on targeted PCs	Same as .A variant (although with a different way of generating URLs), plus: Blocks access to many security-related websites Changes your PC's settings Stops system and security services
Worm:Win32/Conficker.C Discovered date: 20 February 2009 Payload trigger date: 1 January 2009	Same as .B variant.	Same as .A and .B variants, plus: Additional method for downloading files that uses peer-to-peer communications Adds checks to verify the authenticity/validity of content targeted for download
Worm:Win32/Conficker.D Discovered date: 4 Mar 2009 Payload trigger date: 1 April 2009	Spreading functionality removed. Distributed as an update to PCs already infected with the .B and .C variants.	Same as .A and .B variants, plus: Generates 50,000 URLs to download files from, but only visits 500 within a 24-hour period Expands on efforts to hinder its removal from your PC: Stops more system and security services Blocks more security-related websites
Worm:Win32/Conficker.E Discovered date: 8 April 2009 Payload trigger date: No date	Spreading functionality added. Same as .A variant, plus: Network shares with weak passwords	Blocks access to many security-related websites Changes your PC's settings Stops system and security services Deletes itself on May 3

The name of this family was derived from trafficconverter.biz, a string found in the Worm:Win32/Conficker.A variant.

Prevention

Take these steps to help prevent infection on your PC.