Computer Security Wiki
  • Win32/Conficker.A (CA)
  • W32.Downadup (Symantec)
  • W32/Downadup.A (F-Secure)
  • Conficker.A (Panda)
  • (Kaspersky)
Type Worm
Affected platform/s Microsoft Windows
Smallwikipedialogo.png Most of this page uses content from Wikipedia. The original article was at Conficker.
The list of authors can be seen in the page history. As with Computer Security Wiki, the text of Wikipedia is available under the GNU Free Documentation License.
Remove this template when most of the Wikipedia content has been removed or the Wikipedia information is outnumbered by non-Wikipedia information.

Conficker (aka Downup, Downadup, Downandup and Kido) is a computer worm that surfaced in October 2008 that targets the Microsoft Windows operating system.[1] The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.[2]


The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer. [3]

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer.[4] The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.[5]

When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers.

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability in the Server service.[6]

The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine.

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:


  • Automatic updates no longer working
  • Anti-virus software are no longer able to update itself
  • Unable to access a variety of security sites, such as anti-virus software companies
  • Random svchost.exe errors
  • Account lockout policies being reset automatically
  • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled
  • Domain controllers respond slowly to client requests
  • System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager

Patching and Removal[]

On 15 October 2008 Microsoft released a patch to fix the vulnerability.[7] Removal tools are available from Microsoft[8], Symantec[9], Kaspersky Labs[10] and BitDefender. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.[11] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired.


External Links[]