Screen-friendly page
Printer-friendly pageConficker Virus
This page contains information about the Conficker virus
Introduction
In late 2008, a new virus called Conficker began to spread across the Internet. Conficker's exact purpose is unknown, but it is already known to disable many security features on Windows computers. In addition, after April 1, 2009, Conficker began sending spam from infected computers, and also tried to trick people into buying phony antivirus software that in reality was just another virus.
Conficker spreads across computer networks like many other modern viruses. It also contains a "retro" method of attack. Old computer viruses used to be spread over floppy disks, and much in the same fashion, Conficker also has the ability to spread from computer to computer through infected USB drives. Initially, this line of attack was aided by the Windows Auto-Run feature which would make it easy for one bad USB drive to infect many computers.
The estimated peak amount of computers infected by Conficker has reached as high as 9 million computers worldwide. However, that number has significantly decreased as Microsoft and antivirus vendors companies have worked together to stem the tide of the virus.
CITES automatically blocks any computer infected with the Conficker virus that tries to connect to the campus network. The purpose of these web page is to help you protect your computer from the Conficker virus. If you are affiliated with the University of Illinois at Urbana-Champaign, and have been blocked from connecting to UIUCnet, or if you suspect you have already been infected by the Conficker virus, please contact the CITES Help Desk at (217) 244-7000.
Protecting yourself from Conficker
There are three crucial steps that you need to take to protect your computer from Conficker (and other viruses). The first step is to make sure that your Windows Operating System is fully patched. The second step is to disable Autoplay. The third is to make sure that you are running antivirus software that is up to date.
Patching your Windows operating system
Microsoft has responded to some of Conficker's techniques for infecting computers by patching the Windows operating system. If you are completely up to date with all of your Windows Updates, then you have already put these protections in place. If you aren't up to date, you need to make sure that you have installed the patches discussed in KB958644 and KB967715. The easiest way to get all of the updates needed to stop Conficker is to visit http://update.microsoft.com and make sure that the latest updates have all been installed. For future updates, simply enabling Automatic Updates ensures that your computer stays patched.
More information about securing your operating system can be found at: http://www.cites.illinois.edu/security/by_os/
If you still need further help updating your operating system, please contact the CITES Help Desk at (217) 244-7000.
Disabling Autoplay
Because the Conficker virus masks itself in the Autoplay window that appears when a new disk is inserted, disabling Autoplay also helps protect you from the Conficker virus. For this reason, CITES Security strongly recommends disabling the Autoplay feature in Windows.
For more information about how to disable Autoplay, see:
Microsoft Knowledge Base (advanced, with patch links)
Running up-to-date antivirus software
Security companies that make antivirus software are doing their best to keep up with Conficker and its mutations. If your computer is acting oddly, or if you just want to double check that your computer is free from Conficker, you should download the latest antivirus update and then run a full scan of your computer.
If you need do not have antivirus software installed, CITES provides Windows antivirus software at no cost for anyone with an active University of Illinois NetID. For more information about how to acquire antivirus software or how to use it, please visit: http://www.cites.illinois.edu/security/antivirus/
If you still need further help updating or running your antivirus software, please contact the CITES Help Desk at (217) 244-7000.
Already infected with Conficker?
Because Conficker has built into it a feature that blocks access to certain web sites, security researchers have been able to develop a Conficker Eye Chart to help people discover whether or not they are infected with Conficker. CITES Security has rehosted this useful Conficker Eye Chart and you can check it out by visiting http://www.cites.illinois.edu/security/antivirus/conficker_eyechart.html
If you have been blocked from accessing the University of Illinois network, or if you think that your computer is infected with the Conficker virus, please contact the CITES Help Desk at (217) 244-7000.
More information on Conficker
New York Times article on Conficker
Second New York Times article on Conficker
One of the tricks used to infect computers with Conficker (complete with screen shots)
Windows Knowledge Base article including manual disinfection steps