The H Security Conficker information site
On this page you will find all of the important information about the Conficker worm, including how to detect it and to guard against it. Note that some manufacturers call Conficker either Kido or Downadup.
There are several test sites that can help you check for Conficker infection. These links open a page that performs the test and shows the result.
Info pages and removal tools from AV vendors
Many anti-virus manufacturers are offering specific tools for detecting and removing Conficker. These applications do not require installation of a complete AV package. The easiest way to proceed is to download the tool on an uninfected computer, copy it onto a USB drive and then run it on the infected system. NOTE - all of these links start a file download process.
- Sophos* - ssconftool_10_sfx.exe*
- Symantec* - FixDwndp.exe*
- F-Secure – f-downadup.zip
- McAfee* - S.T.I.N.G.E.R.exe
- Trend Micro - SysClean-WORM_DOWNAD.zip
- Kaspersky* - KKiller_v3.4.3.zip*
- BitDefender - bd_rem_tool.zip
- Eset (NOD32)* - EConfickerRemover.exe*
* Conficker may block access to indicated sites
Various companies offer scanners that can detect Conficker over a network. They are based on techniques developed by security researchers Felix Leder and Tillmann Werner. These techniques do require access to TCP port 445 to reach the target systems, so they will normally only work within local networks since this port should be blocked from the internet side of any firewalls.
- Nmap version 4.85Beta5
To do a basic conficker scan with Nmap, run:
nmap -sC -PN -d -p445 --script=smb-check-vulns \
- Nessus plugin 36036
- Confickertest from McAfee
- ConfickerScanner by eEye
- SCS from the University of Bonn (Leder, Werner)
Reports from The H Security about Conficker
- Simple Conficker test for end users
- Conficker stays silent on April Fools Day
- Conficker demystified
- Freeloaders are taking advantage of Conficker scare
- Conficker worm reloads - maybe
- Conficker infects UK parliament
- Tools to remove Conficker
- Conficker modified for more mayhem
- Conficker to disrupt legitimate domains in March
- Conficker becomes a more flexible worm
- Microsoft, ICANN and others, move to block Conficker
- OpenDNS to block Conficker
- F-Secure now claims nine million Conficker infections
- Report: 2.5 million PCs infected with Conficker worm
- Conficker in Carinthia: first the state government, now the hospitals
- Windows worm builds a large Botnet
- Windows worm infection accelerates
Tips and Tricks
Lock bypass: Conficker blocks access to certain websites. You can bypass this lock by clicking on the Start menu and clicking run with the following command:
NET STOP DNSCACHE
The Conficker page from the University of Bonn also has several interesting Conficker tools.
We will try to keep this page updated and expand it over time. If you have any suggestions for improvements or problems with any of the links, please email us.