They don't know yet. It's a worm that's said to activate on the first.
This is a misconception. April 1st is a trigger date, in which the worm will switch the way it looks for updates. The worm has already experienced numerous such dates, none of which have severely impacted IT functions.
Source
a virus you say? hmm i have never heard of it.... well now im kinda discouraged from using my Windows on the 1st.... i probably sound like a total idiot right now but what does this virus do to your PC anyway? delete info? or just damage your computer?
Conficker saves a randomly named dll file to your computer, and loads itself upon startup as a service. Once in memory, it checks for updates daily, slowing your connection and allowing it to potentially cause more damage at any point in the future if left alone. Currently, it disables numerous Windows processes, such as Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting, and it resets all system restore points. It also watches for a list of antiviral or system restoring programs, and if one is executed, it immediately terminates it, making removal a problem. Furthering this, it blocks the infected computer from accessing websites related to anti virus software or manual removal of the worm. It also brute-forces administrator passwords so it can gain further access to the infected system.
Conficker initially spread through an already-patched vulnerability in the Server service which many computers have not patched. Updates have allowed it to spread to patched or unpatched computers through removable media, such as USB flash drives, by exploiting the autorun feature in Windows. It can also spread through shared folders enabled on a network.
There are a number of ways you can tell if you have been infected with Conficker. If you truly are infected, you will be unable to access most antivirus vendor websites. Your internet connection will be slightly slower than normal, and various Windows services, such as Automatic Updates, Background Intelligent Transfer Service (BITS), and Windows Defender and Error Reporting Services will be disabled.
If you are extremely worried about infection, I recommend you apply all relevant updates at
https://update.microsoft.com/ or through the Windows Update function built into Vista. Note that if you are using anything earlier than Windows XP, or Windows XP without a service pack or with only service pack 1 installed, there is no patch available to fix the vulnerability, and it is advised that you upgrade your OS to a version that is currently supported. If that is impossible, I recommend getting a good anti-virus program, such as Kaspersky, NOD32, Avast!, AVG, or Avira (the last three are free for personal use).
Also avoid using a flash drive that has been in contact with any other computer, or disable Windows' autoplay and autorun features; these are detailed
here and
here, respectively (note that these are advanced fixes that require editing of the Windows registry; do not deviate from the steps outlined in these pages). Finally, I recommend allowing only read-only access to shared folders on your computer, as one of the ways the virus spreads is through shared folders on networked computers. For information on how to do this, refer to
this document (Symantec).
If you are certain your computer is infected, assume that any removable media (such as flash drives) and any networked computers are also infected. Do not use your infected removable media with any uninfected computers, as this will spread the worm to them. Also, isolate any infected computers on a network and fix them at the same time.
If you are not on a network, use either KKiller or EConfickerRemover (note that KKiller refers to Conficker as "Kido"), both of which I have attached to this post as you will be unable to access the removal tools on their respective websites (Kaspersky and Eset). I do not recommend using both unless one fails to work, as I have not tested using both of these tools on the same computer.
If you are on a small infected network, I recommend that you disconnect all computers from the network, and remove the virus using the above method for each individual computer.
If you are on a large network, I recommend that you have someone with sufficient tech experience use the Sophos Conficker Clean-up Tool (network version), which I have also attached (sconftool). They should be able to remove the worm from any affected systems.
Once you have run the respective tools, follow the above steps for preventing infection, especially disabling autorun and autoplay. Once these are disabled, insert any infected media into the computer, and delete "autorun.inf" from the base directory of the media, then navigate to the folder called "RECYCLER" and delete any directories labeled "S-". The RECYCLER folder may be hidden; if so, navigate to it through the run dialogue (windows key + R) or the address bar. If this doesn't work, follow the below steps, also unchecking "Hide protected operating system files." Be sure to recheck this box after removing the worm.
If the "S-" folder(s) is/are hidden, you will need to select the "Tools" menu on the window, select "Folder Options," and then select the "View" tab. There will be an option to allow you to view hidden files and folders; select it, and then click "OK." Then, simply delete any folders that begin with "S-".
If you have any more problems with Conficker, I recommend running a complete virus scan using your antivirus software. If that doesn't help, contact your antivirus vendor for solutions.
NOTE on attached files: if you don't trust that the files are safe, feel free to run them through VirusTotal's virus scanner, located
here. Or, if you'd rather not, you can simply look at the scans I ran on them
here,
here, and
here. Generally speaking, if only a few results are shown, it's assumed that they're false positives.
Legal Disclaimer:
This software is unavailable to its end users through its normal means of distribution, and no license agreement is provided for the software in question. As such, I believe the distribution of this possibly copyrighted software constitutes "fair use" under section 107 of US Copyright Law (
Title 17 U.S.C. Section 107).
UPDATE:
A site has released an easy to use chart that lets you tell almost instantly if you have Conficker. Link
here.
UPDATE 2:
https://it.slashdot.org/article.pl?sid=09/04/22/1243213
Nmap claims to have a better tool for detecting Conficker. Haven't tried it, but if you want to give it a go, feel free.
