Skip navigation

Recently my laptop has received numerous threats of virus coming from our office network called WIN32Conficker.A worm and some of its aliases is given below;

Win32/Conficker.A (Microsoft), Crypt.AVL (AVG), Mal/Conficker-A (Sophos), Trojan.Win32.Pakes.lxf (F-Secure), Trojan.Win32.Pakes.lxf (Kaspersky), W32.Downadup (Symantec), Worm:Win32/Conficker.B (Microsoft), WORM_DOWNAD.A (Trend Micro)

I was shocked and worriedly thinking, “has my laptop has been infected?” I rushly looked for any solutions in the net about the said virus and some solutions. I’ve carefully red in the section of mcafee antivirus about the virus characteristics and how dangerous it is:

Quoted from Mcafee:

Virus Characteristics
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Analyzed malware does not have autorun or email capabilities.

Indications of Infection
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.

Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly.
source taken:

Quoted from Microsoft:
“[The worm] opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll.”

And hopefully, i found some fixes and solutions that can help us.

1. F-Secure Solution:

Removal tool specific to remove this conficker/Downadup worm, Download here =

2. Mcafee provided solution:

– Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs(Mcafee Site).
– Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.

3. Trend Micro Solution:

Before deploying the sysclean package, you need to apply Microsoft MS08-067 Critical System Patch first.

Please do the following:1. Download and extract the sysclean package.

2. Download the latest Controlled Pattern File (CPR).

3. Download the latest Detection and Cleanup (Trend Micro Anti-Spyware) or the Ssapiptn.Da5 file.

4.Using GPO or any third party deployment tool (i.e. SMS or BigFix), copy items 1-3 to the infected computer.

5. Execute

6. Reboot the infected computer.

Beyond of all solutions that has been provided, to ensure that you willl not be attacked by this virus again, make sure your Windows System is always updated (especially the Windows MS08-067 patch from October), also your Antivirus/Firewall Security.


    • Motoko
    • Posted January 8, 2009 at 12:38 pm
    • Permalink


    Our company had been hit with this virus and I have been trawling for a standalone removal tool for awhile now. The FSecure one does not seem to work 100% if at all, but I tried the Trend Micro one you posted and that seems to do the trick…at least until we get our corporate AV/patch solution in place. Good article, thanks.

    • Rye
    • Posted January 9, 2009 at 12:21 am
    • Permalink

    i’m happy that this solved 1 of your virus problems. 🙂 good thing for me i was being protected by my antivirus, those conficker virus keep on popping out – quarantined, but then after i installed the patch from microsoft windows, until now it never popped up. cheers!

  1. I will try the trend micro solution.. it seems promising.. thanks!

    • Kirk
    • Posted January 9, 2009 at 8:43 pm
    • Permalink

    Thank you for your help the trend micro solution helped us clean up 5 computers. Didn’t try the other solution.

    • chris
    • Posted January 11, 2009 at 6:58 am
    • Permalink

    the best effective and quick solution to exterminate conficker and similar worms or DNS_Changers is to run the free Malwarebytes Anti-Malware programm. Befroe running disable System Restore

  2. Thx a lot for the info. But on step 5 I’m puzzled. I create a batch file to store the command (, and after I execute it, it open a dos box and.. that’s it! nothing happens for almost 20+ minutes.. Is it doing something in the background or not?

    Any help will be appreciated.

    • sonia19
    • Posted February 17, 2010 at 3:08 pm
    • Permalink
  3. Best you could make changes to the page subject New Virus Detected – Win32/Conficker.A worm Anything to Fix to something more generic for your webpage you make. I liked the post however.

  4. each time i used to read smaller articles that also clear their motive, and that
    is also happening with this post which I am reading now.

One Trackback/Pingback

  1. By Conficker/Downadup worm strikes | Byte Bites on 16 Jan 2009 at 3:34 am

    […] can go here to see links to bunch of removal tools for Conficker9. You can also use Microsoft’s […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: