Countering Downadup/Conficker worm

Much has been written about the spread of the Downadup worm (aka Conficker) reaching epidemic status in mere weeks. It's estimated that 9 million PCs may have been infected by this fast-spreading worm as of last week, which uses 3 different distribution channels:

1. It infects Windows 2000/XP/Vista not patched with Microsoft security update KB958644 which was released in Oct last year.
2. It tries to crack a PC's administrator password using brute force attacks, and once that is done, it exploits the PC to infect it and spread the worm further
3. It tries to infect PCs via autorun feature in Windows when removable storage devices such as USB drives and cameras are plugged into a PC. Autorun is a feature in Windows which automatically loads a specified program when the storage device is opened via Windows Explorer.

Computerworld has written a comprehensive FAQ in the link above. Read that to be on the same page as security vendors in terms of what has been understood about this worm. It must be mentioned that researchers are still in the learning mode about this worm and what damage it intends to inflict when infected PCs received instructions from control servers.

In the mean time, what should you do?

1. Ensure your PC's patched with KB958644. If not, you are encouraged to patch it and also run the Jan 09 edition of Microsoft's Malicious Software Removal Tool.
2. Change your administrator password to something a lot more complex.
3. Disable Autorun feature in Windows. The proper way to do this has been documented by US-CERT in this technote. In a nutshell, do this:

a. Click on this link, select Download, and save the file as "autorun.reg" in a folder of your choice. This creates a registry document for importing into your Windows registry. The registry file contains the following text:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"

b. Import this registry file into your Windows registry as follows:

i. Log in as the administrator of your PC. This will not work with Power User or plain User accounts.

ii. Navigate to the file location where autorun.reg created above resides

iii. Double-click the file to import it into the Windows registry

Note: if you are not logged in as administrator, you may import into your registry as follows if you are using Windows XP or 2000. For Vista users, you can only import by logging in as your PC's administrator and using the above procedure as it requires an elevation of privileges.

- Click Start - Run

- Type cmd and click OK to open a command prompt

- Type runas /user:<your admin user> "regedit /s <folder where autorun is saved>\autorun.reg" and press ENTER.

Replace the values in <> with that which is applicable in your PC. Eg. runas /user:myadmin "regedit /s c:\data\autorun.reg"

May God bless you.