Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanDropper:Win32/Conficker.gen!A
Detected by Microsoft Defender Antivirus
Aliases: No associated aliases
Summary
TrojanDropper:Win32/Conficker.gen!A drops and executes variants of Win32/Conficker. In the wild we have observed this trojan installing Worm:Win32/Conficker.D on affected machines.
Win32/Conficker infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029.
Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029.
To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Note: Computers infected by Conficker may be unable to connect to web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer in order to download any appropriate updates or tools and then transfer these to the infected computer.
Microsoft Help and Support have provided a detailed guide to removing Win32/Conficker infection from an affected computer, either manually or by using the MSRT (Malicious Software Removal Tool).
For detailed instructions on how to manually remove Win32/Conficker, view the following article using an uninfected computer:
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker and manual removal instructions
Additional information on deploying MSRT in an enterprise environment can be found here:
http://support.microsoft.com/kb/891716 - Deployment of MSRT in an enterprise environment
Follow us
