Talk:Conficker

Hoax by TechwareLabs?

Or is this admittance of guilt itself just a joke and not real?

http://www.techwarelabs.com/articles/editorials/conflicker_virus_truth/ 68.209.242.33 (talk) 02:48, 2 April 2009 (UTC)

read the bottom, it says that the article is an April Fools joke.Dreammaker182 06:24, 3 April 2009 (UTC)

Operation

'It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer.' I was under the impression that Conficker currently only propagated itself and listened for further instructions from specific channels on what the botnet should do, and that such a message has not been sent yet? The way this sentence is phrased it makes it sound like Conficker has been sent the signal already. Has it actually been activated yet? 134.173.66.81 (talk) 22:00, 25 January 2009 (UTC)

It must have been activated for it to do the damage it has done oversees already. My May 2009 edition of PC Advisor claimed that the worm was simply lying in wait, but this isn't true. The worm generates a fresh list of about 250 random domain names daily and then checks those domains for instructions. When researchers started studying the worms behavior, they realised it was registering about 2,000 sites a week. The article doesn't half explain the seriousness of the conflicker. The truth is, the conflicker has the potential to reprogram a network, allowing this cybergroup to use the computers they infect for their own nefarious purposes. I just look forward to Microsoft catching these guys and/or girls. Refreshments (talk) 16:10, 19 March 2009 (UTC)

Removal

'Linux and Macintosh systems are unaffected as the virus only targets Windows software' present at the bottom of the first block of text. This message is uneccessary and superfluous. The first block of text already explains the nature of the virus and what it targets. 62.245.140.169 (talk) 17:03, 21 January 2009 (UTC)

• The information is useful and relevant. Please do not remove it again. JohnCD (talk) 17:27, 21 January 2009 (UTC)
  • I too find this usefull information and it should be restored. Not all Linux or (especially) Mac-users are computer nerds and people might be in need of such information. PPP (talk) 09:03, 13 February 2009 (UTC)
• I agree it should be removed as it is immaterial to the article. Also not mentioned (thankfully) is that Playstations, X-Boxes, PDAs, mobile phones and toasters are not targeted. Sufficient is the list of targeted OSes. These sorts of comments foster a naive view that not using the dominant platform is a security solution.

  One study (will cite when I find the book) of Window NT and Linux workstations with clean installs, fresh IPs and a LAN directly connected to the Internet showed that both systems had mean times to compromise measured in hours, not days. Yes it's an old study but since it came out we have seen the rise of botnets, cross platform parallel compute libraries and automated penetration tests designed to find weaknesses in a broad spectrum of devices connected to a network. These new tools are just as applicable to creating malicious botnets as they are to finding cancer cures at home or finding and fixing security problems in networks.

  I'm no Windows apologist and I use Linux exclusively on my own computers. I just think the constant "Linux/Macintosh/Insert favored OS here doesn't get viruses" harping misses the point. It's a smug message that if you are running windows you should change. But if everyone changed to your favored OS your imaginary security through obscurity would also vanish. What then? Would a change back to Windows then be warranted? 121.79.12.138 (talk) 22:44, 21 January 2009 (UTC)

  • I wouldn't be too quick in drawing conclusions, some phones or PDA's are running Windows thus could be affectable by this virus. Also, I don't know the OS an X-box is running, but since this is a Microsoft-product, it could be in the danger zone. Furthermore, the comparison between a computer and a toaster is one only an anonymous would make, becouse everybody knows it doesn't make any sense, since a toaster is not connected to the internet. It's like stating that the apple tree in my backyard probably won't get the Conficker disease from my computer. Nor wil I personally. But a desktop computer running Linux or MacOS is still a desktop computer and for many people the same thing. They surely deserve to be informed if their computer is violable or not. PPP (talk) 09:14, 13 February 2009 (UTC)
    • Given the article already mentions exactly which OSes are known to be affected, there is little point listing the OSes that are not known to be affected. Someone (207.203.88.15) appears to have noted this and added a list of other OSes including some really esoteric ones presumably to make some kind of point. I'm with the previous user who objected to the original statement. The argument that it's useful to include a list of OSes not affected might have some merit if the article said "Affects all PCs, except those with these OSes", but it doesn't. 94.193.9.40 (talk) 18:11, 13 February 2009 (UTC)

For tactfully explaining everything to this JohnCD fellow I didn't want to have to bother with, you have my utmost thanks. 62.245.140.169 (talk) 14:50, 29 January 2009 (UTC)

Comment: Why are you folks continuing to remove McAfee's on demand removal capabilities from the list of methods to remove? I sense some sort of bias here. McAfee can detect and remove the virus but the other AV's require removal tools. This should be very important to identify. —Preceding unsigned comment added by 71.135.75.227 (talk) 20:18, 5 February 2009 (UTC)

Simple, Wikipedia information must be verifiable. Please include references with your inclusion. Sephiroth storm (talk) 23:56, 5 February 2009 (UTC)

But how will you verify the verification? If "verifiable" were enforced for every sentence in Wikipedia there wouldn;t be a wikipedia. I'm not saying it's a bad idea but it seems to be trotted out selectively. —Preceding unsigned comment added by 69.149.65.237 (talk) 04:42, 26 March 2009 (UTC)

Is windows mobile effected? 213.67.232.233 (talk) 01:55, 13 February 2009 (UTC)

• No - just the operating systems listed in the article. 94.193.9.40 (talk) 18:21, 13 February 2009 (UTC)

As much as I feel the need to attach the words "evil genius" to this thing, I still grudgingly admit that this worm is extremely sophisticated... a thing of beauty. —Preceding unsigned comment added by 206.191.106.109 (talk) 18:19, 30 March 2009 (UTC)

What are the symptoms of infection?

Is there a way of determining if your PC is infected? DavidRF (talk) 19:03, 19 January 2009 (UTC)

If the user's IQ is lower than 80, then it's probably infected. 121.44.18.220 (talk) 07:42, 20 January 2009 (UTC)

Very constructive, thanks. The article is a headline in the news section of the main page of wikipedia and I haven't heard about it anywhere else. Just wondering if we could get some elaboration on this threat. DavidRF (talk) 15:01, 20 January 2009 (UTC)

Seriously, what are the inddications? 惑乱 Wakuran (talk) 17:39, 20 January 2009 (UTC)

don't know the specific ones, but this is a spybot, which connects to external servers, so if you find your internet, or even just your computer is considerably slow, and it can't be blamed on just your old computer, then get the removal tool from microsoft's website and try it, if you're clean, then it won't find anything. —Preceding unsigned comment added by 24.65.77.144 (talk) 02:19, 21 January 2009 (UTC)

Apparently it spreads through networks by means of guessing passwords, and occasionally locks out users when attempted incorrect guesses one time too many. That seems to be a warning sign. 惑乱 Wakuran (talk) 10:11, 21 January 2009 (UTC)

Yes, there are ways to determine infection: e.g. [1] Peter.Hozak (talk) 09:11, 3 April 2009 (UTC)

Why can't we correctly translate the German? --202.169.60.130 (talk) 15:26, 20 January 2009 (UTC)

Yeah. Wikipedia is fucking not censored for fucking minors! 惑乱 Wakuran (talk) 17:39, 20 January 2009 (UTC)

When this worm infected hundreds of windows machines on my company, I, being a member of the IT, received a giant load of calls that wouldn't me even let me stop to breathe... it was really fun to see people scary of a "malevolous virus attack" hehe Oxygenetik (talk) 10:17, 21 January 2009 (UTC)

The worm hides in a pendrive (that is contaminated on a computer with virus), there are two parts to it. The first is a exe. file, which is a *number*.exe and it is hidden. Note: the number is usually less than 100, like 8.exe, 11.exe. The second part is a .inf autorun config file like

ShellExecute=8.exe Action=View the contents of this drive When the autoplay pops up, you can select what you want to do, e.g. print the pictures, take no actions, etc. Normally people will select 'view contents of this drive' but it is actually an autoplay for the .exe file. once it is running, you can see it in the task manager, as *number*.exe. The symptoms are error popups like 'suddenly,life has new meaning'. Different variations have came out so there may be other effects on the computer. To remove, stick your pendrive into the usb, when the autoplay window popup, press cancel or the cross. Open cmd, type your drive, like H:. After that, type dir/w/o/a/p . If there is any suspicious .vbs, .exe, .ini/inf files, type in "attrib -h -r -s -a". Then type "del filename.ext" Replace the ext with extension type. like "del autorun.inf" or "del New.exe" KamiFlame (talk) 13:50, 21 January 2009 (UTC)

That isn't the Conficker worm. The Conficker worm does not have an exe component. It is just a single DLL file.

I've had the virus, and I can tell you exactly what the symtoms are. First, it takes over the browser, and when you click on a Google search result of most anything it takes you to a different web page with ads and other links. It also displayed a page that looked like "My Computer" with a real time virus count message appearing in red to get your attention. Then it tried to sell me antivirus software with a pop-up window. It also generated a "fake memory error" on my laptop and caused the machine to reboot randomly every 10-20 minutes. In addition, it prevented me from going to any websites to either learn about the virus or get tools to eradicate the virus. It installed a new hosts table with certain websites redirected to 127.0.0.1. It also prevented certain applications already installed on the hard drive from executing. I finally was able to get an online scan tool to run (from a website that didn't have anything related to security in its name), but during the scan the machine rebooted (see above symptom). While I was ultimately able to remove the virus, the machine had other software and drivers damaged, so when I got back home I restored from a backup Ghost image I made when the machine was new and I had tweaked the software to my liking. This is one of the nastiest viruses I've ever seen, and my laptop was updated with the latest patches, etc., so I'm not sure how I got it. I was at a hotel on their wireless network at the time of infection.

---You were on a public network...duh! that would be how you caught it. 75.89.166.147 (talk) 16:16, 26 February 2009 (UTC) TiaF

Picture

Currently there's a picture of a Sandisk Cruzer with the caption "Conficker spreads via portable storage devices." This picture is not just unnecessary (if you don't know what a USB stick is, look up the article), it could actually give the impression (to stupid people, admittedly) that Sandisk has anything to do with it, which of course they don't. I removed the picture to offset these concerns, and added a link to USB flash drive. 82.95.254.249 (talk) 14:08, 21 January 2009 (UTC)

"consisting of the abbreviation con for configuration and the nominalized form of the obscene German verb ficken (the bad f word)"

Are we children. Either let us use our imaginations as to what "ficken" means, or be more, er, explicit. Monkeyspearfish (talk) 16:38, 21 January 2009 (UTC)

I replaced it with 'fuck'. Wikipedia is not censored! ~-F.S-~(Talk,Contribs,Online?) 16:53, 21 January 2009 (UTC)

Someone is removing the definition for "ficken" and insisting that it is a homophone for "configure", which is original research and not plausible (IMHO). Reverting. 65.169.210.66 (talk) 23:05, 22 January 2009 (UTC)

It's a fact that the English word "to configure" is pronounced in English almost exactly like "conficker is pronounced in German". Just with the difference that the "ck" in German is pronounced slightly harder than the "g" in English. That's exactly what homophone means. Furthermore, the German "ficken" not only is a term for sexual intercourse. Just like the English "fuck", "ficken" can be used in slang for stealing, beating someone up, etc... So i took the liberty to at least link to the f-word. Conficker is causing German press to use the f-word uncensoredly, and talking to people about this worm very often causes disturbance. Just imagine what this would be like if the worm's name would have been "confucker" (which is what I would say is the literal translation of the pun) -- what then? €0.02, --Volty (talk) 13:09, 27 January 2009 (UTC)

I don't have an issue with it being like "config," if that is a fact. I was just interested in the making sure the "ficken" vulgarity was not glossed over. This homophone business is still original research as far as I am concerned, though.65.169.210.66 (talk) 17:08, 27 January 2009 (UTC) —Preceding unsigned comment added by 24.21.10.30 (talk)

True, Wikipedia is not censored, but there are still policies about being offensive, and that word is offensive. Since we're adults, we surely don't need it spelled out for us. I suggest a change to something like, "...which is offensive in English." Carl.antuar (talk) 11:06, 23 January 2009 (UTC)

"Wikipedia is not censored, but there are still policies about being offensive, and that word is offensive."

BULLS***! ...Is that word too offensive for you, too? TechnoFaye Kane 07:14, 28 March 2009 (UTC)

"ficken" is described as obscene, but that is an exaggeration. Its use is typically considered not or only mildly offensive by native speakers depending on the context. E.g. the title of a German movie from 2002, "Fickende Fische", did not spark any public outcry, and it received an FSK 12 rating. Certain uses of the word may of course be considered obscene but this is true even of the most harmless words. Aragorn2 (talk) 05:35, 24 January 2009 (UTC)

I think that might be part of German culture, though. Nudity and sexual slang/references doesn't cause as much commotion as in the USA, also it is not considered harmful for children. At least if Germany is similar to Sweden, where I live. That movie was given the Swedish title "Knullar fiskar?" ("Do fish fuck?", and they do not), given a 11 yrs rating, and didn't cause any storm, here either. 惑乱 Wakuran (talk) 13:19, 26 January 2009 (UTC)

Actually, I cannot come up with a more obscene German word for that kind of activity than "ficken". Just as Wakuran said, Germans are much more liberal with nudity and sex also in the presence of children. Sexual education here starts in primary school at an age of around seven. -- H005 (talk) 19:17, 16 February 2009 (UTC)

Conficker a pun of German Hackers? Perhaps, but absurd in this case. The name Conficker is one of the tons of domains, like bxtopike or browser or leyloenk, randomly created by the worm, chosen from the first person, who reported on Nov. 21th, 2008, that a worm who abuses Vulnerability in M$ Server Service MS08-067, is wild. --Ledenpas (talk) 21:38, 26 January 2009 (UTC)

So shouldn't the explanation with the German verb being deleted? there is more doubt than proof for this theory --jefo (talk) 19:34, 29 January 2009 (UTC)

How about we all grow up and realize that "fuck" is just a word and in this case it has no impact on anything other than your sensitive little brains. Grow up and "NO, you were not offended."

The fact is, whoever wrote about the origin of the name made it up. See http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.a, analysis tab, at the bottom. —Preceding unsigned comment added by 216.73.217.121 (talk) 23:53, 9 February 2009 (UTC)

"Ficker" actually means "fucker", not "to fuck" 124.171.207.238 (talk) 01:33, 1 April 2009 (UTC)

Spread of Conficker

The article needs to be more explicit about how Conficker spreads. One line says it can spread by USB flash drives, but did it reach 9 million PCs solely on this vector? Does it spread when the user visits a website, or does it attack passive computers? Is a computer vulnerable behind a NAT router? The graphic titled "spread of conficker" doesn't help; it shows the attack coming by way of an unlabeled white box. Spiel496 (talk) 06:22, 22 January 2009 (UTC)

---Uh, lessee...public and private networks, email attachments, and portable media. protable media including but not limited to: USB sticks/flash drives, custom burned cd's (and I would presume DVD's as well), and floppies. Which would imply that XBOX systems may be vulnerable, but I haven't heard anything yet about that. Someone else noted that Conficker does not have an .exe file, which is technically correct, and allows for it to travel pretty much however it wants to. Once it's on a system and has a way to get off and spread it usually does. Watch out for McDonald's, hotels, and the ever popular Universities while you're at it. 75.89.166.147 (talk) 16:21, 26 February 2009 (UTC)TiaF

"Win32/Conficker.A avoids infecting Ukrainian located computers" (From Malware Protection Center) maybe this explains where the Virus is from. —Preceding unsigned comment added by 71.177.230.218 (talk) 00:23, 25 March 2009 (UTC)

Systems Affected

This Symantec summary claims that affected systems includes Windows 95, Windows 98, Windows Me and Windows NT. These operating systems are not included in this article, should they? - Shiftchange (talk) 13:26, 22 January 2009 (UTC)

I think that it might be able to spread on 9x useing USB but I dont it can do much damage to the system or spread via network Stevenh123 (talk) 20:49, 30 March 2009 (UTC)

If it can infect a 9x system it would be very limited to which ones it could infect, 95 and the original 98 had little to no support for USB flash drives. Most flash drives require at least 98se and a driver. Also I beleive that the writer of this worm would take the time to make it so that it could infect both 9x and NT systems when most of the windows based computers run a NT system whether it is 2000, xp, or vista. Codeman177 (talk) 02:22, 1 April 2009 (UTC)

The actual conficker progam code can't run on windows 98 because most of it's functionality is based on NT-based services. Conficker can't spread via MS08-067 because like other netbios exploits, win-98 is simply not vulnerable to them the way that NT-based OS's are / were. Win-98 might execute the autorun.inf file that's present on infected removable media, but again the execution would fail because the code is designed to run on NT-based systems. Win-98 proves again to be less vulnerable to worm-like exploitation via network connection compared to win2k/XP/2k3. The claims that win98 is a less secure operating system continue to ring hollow. —Preceding unsigned comment added by 74.12.203.91 (talk) 13:14, 12 April 2009 (UTC)

Timeline

Since this was first detected in 2008 why is the coverage all in mid Jan 2009? Rich Farmbrough, 11:01 23 January 2009 (UTC).

I only heard about this today by reading it in my daily newspaper. I haven't heard about it in any of my usual online news sources. I do remember back in October hearing about Microsoft's big out-of-band release that was highly critical to install to avoid serious problems with predicted malware. I guess that the IT admins generally installed it and forgot about it. Now that it's impacting a lot of non-IT computers, it's being picked up by mainstream media sources. But that's only a guess. It did cause me to go back over all my systems and make sure that everything was protected. Turns out that not everything. Good thing I checked; it never hurts to be reminded about these things. --Willscrlt (Talk) 14:25, 23 January 2009 (UTC)

Infobox

Hi. I added an infobox to the article, but I am not really familiar with the details of that particular one, so someone who regularly edits malware articles should add the missing information. Thanks. --Willscrlt (Talk) 14:25, 23 January 2009 (UTC)

Impact

I added the 15 million computers infected bit. It needs corroboration. I am not sure if it's true.— Preceding unsigned comment added by Anna Frodesiak (talk • contribs)

Yeah, I've seen that number on various news sites, although I think it's just an estimate. There hasn't been much news on it lately, but unless it somehow got contained it's probably on 20 million Windows PCs or more by now. Althepal (talk) 21:07, 2 February 2009 (UTC)

It's doubtful that there are 20 million computers infected, partly due to the increasing alertness. The best estimates are between 9 to 12 million I believe, with a very recent article citing 10 million - http://www.winsupersite.com/server/conficker.asp . Since I don't have permission, someone might also want to add the fact to the article that the preventive patch from Microsoft has been available since October 2008, which might help people realise how much they need to be left behind to get infected, and will probably help calm down others who patch at least monthly. —Preceding unsigned comment added by DelphinidaeZeta (talk • contribs) 10:47, 1 April 2009 (UTC)

Actually, only Conficker.A infects system via unpatched systems. That's how it mainly got around, Conficker.B, C, and D do not spread via unpatched systems but by systems with no firewall, antivirus, unprotected shares, weak passwords, usb and cd drives, etc. However, the new Conficker.E spreads via all of those plus the methods Conficker.A uses (unpatched systems mainly), making it use of all unprotected computers. Broken Fruit (talk) 20:00, 10 April 2009 (UTC)

More news on Conficker - just visit Google News:- French figher planes grounded by computer virus (might need to say this is 'allegedly' until they confirm)
Computer virus shuts down Houston municipal courts
More usefully, OpenDNS are offering an alternative means of protection from Conficker:- [2] —Preceding unsigned comment added by 217.34.138.161 (talk) 13:11, 9 February 2009 (UTC)

Origin of name

Does anyone get the explanation on http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A (see Tab Analysis, bottom)?

(fic)(con)(er) => (con)(fic)(+k)(er) => conficker

The old explanation was much more plausible to me (but I'm no expert).

--Abe Lincoln (talk) 21:44, 16 February 2009 (UTC)

It doesn't sound very reasonable to me either, but until we have reliable sources, we better do not mention it at all. -- H005 (talk) 23:34, 16 February 2009 (UTC)

Then put both on the article.200.90.238.140 (talk) 03:44, 27 March 2009 (UTC)

Done Replysixty (talk) 05:49, 30 March 2009 (UTC)

Con-ficken (Conficken sounds like configure) (Ficken=german for fuck). Confucker. By the way, according to MSNBC, no damage has been done. Montgomery' 39 (talk) 19:54, 1 April 2009 (UTC)

Why is this necessarily German? Configuration+fucker=Confi+cker=Conficker. Simple enough in English, too, don't you think? :) ReveurGAM (talk) 10:38, 6 April 2009 (UTC)

Easy prevention?

"The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers." It's my understanding that home users who don't have a home network (not a wireless network, which is a different animal, but a home network allowing the sharing of files, etc. among multiple machines) don't need the Server service. I disabled mine a long time ago. (Start > Run services.msc > enter > right-click Server and set to manual or disabled.) Can anyone more knowledgeable confirm whether this would prevent the Conficker from installing, even without the many other precautions being used? Thanks, Unimaginative Username (talk) 10:34, 1 March 2009 (UTC)

How about installing the patch that plugs the security hole that the virus exploits? I imagine that that would be the "easy fix".74.251.42.193 (talk) 06:34, 1 April 2009 (UTC)

Did that as soon as it was offered. It was an academic question: if it spreads through Server service, and millions of machines run this service unnecessarily, would that stop it as well? The "Big Picture" point being that every unnecessary service running is another potential vector for infection. Still waiting for that knowledgeable person to answer the question. Thanks for stopping by. Unimaginative Username (talk) 10:43, 2 April 2009 (UTC)

It would seem to me that, indeed, turning off the server service would block that hole. This assumes that the server service cannot be "called" by another routine or remotely turned back on. Considering that the worm can turn off, for example, Windows Update, it seems likely that it can turn on the Server Service. Therefore, to truly avoid this problem (without using the patch), we would have to delete the service (if that's even a viable option) from the system. This assumes that the author has yet to figure out another way to propagate the worm through another of Windows' numerous security holes. :) ReveurGAM (talk) 10:46, 6 April 2009 (UTC)

• Thanks, but that's slightly recursive. If it enters through Server service, and Server is disabled, then it can't enter and so can't turn Server back on to let itself enter... AFAIK, if Server is set to "disabled" rather than "manual", nothing else legitimately in the system could turn it back on, although of course I could be mistaken. Certainly other means of infection are possible. Since the article claimed that this was the primary vulnerability, it seemed a reasonable question. Thanks for your time and reply. Unimaginative Username (talk) 08:10, 10 April 2009 (UTC)

Actually, it's only recursive if you take the statement in question in isolation (out of context). I have already pointed out that another attack vector (eg: removable media) would allow what I have suggested to be done. Therefore, it's not necessary to go in via the service to reactivate the service. In addition, there are so many holes in Windows, that another vector could be taken advantage of.

However, if the service were used as the vector, then subsequently patched, that would not mean the worm was gone - merely that the entry point was gone. Further, I have read that the worm is capable of modifying the service patch so that the hole is reopened. If you check out the websites that offer removal tools, they point out that the patch must be applied and then the worm eliminated. If not, then the worm is still active and doing it's naughtiness.ReveurGAM (talk) 05:09, 13 April 2009 (UTC)

Link

Bundeswehr affirmed: one of our servers is infected, some departments are affected:

http://www.bundeswehr.de/portal/a/bwde/streitkraefte?yw_contentURL=/C1256EF4002AED30/W27PED65714INFODE/content.jsp —Preceding unsigned comment added by 88.72.225.151 (talk) 09:39, 12 March 2009 (UTC)

Newsagency dpa: some hundred computers affected: http://computer.t-online.de/c/17/68/25/30/17682530.html —Preceding unsigned comment added by 88.72.225.151 (talk) 11:08, 12 March 2009 (UTC)

Origin of the virus

Would it be possible to have some information on where the virus/worm comes from (ie : who created it)? and what they were aiming to do by creating it. 195.25.74.189 (talk) 11:33, 13 March 2009 (UTC)

Nobody knows that. There is a $250,000 reward out for that information. If you have it, feel free to claim your reward. Chrislk02 ^{Chris Kreider} 13:52, 24 March 2009 (UTC)

Man do I wish I knew. If I knew, I think I'd be getting a new car. JeremyWJ (talk) 08:44, 31 March 2009 (UTC)

If I knew, I'd be getting a ton of Wii games, the new Pokemon Ranger game, and some other stuff.-69.206.165.64 (talk) —Preceding undated comment added 00:58, 1 April 2009 (UTC).

If I knew, I'd be getting a new DS, a Wii, and a dozen games for each. Then I'd donate the rest to some charity or whatever. *grinning* See? I'm nice. ---Eh. How do I sign this? OH like this. Got it. Eh...Ermmmm let me try it, here I go. -Comment added 00:21, 1 April 2009 (UTC).

Four tildes(~) make a full signature, while 3 make a shorter signature, also I don't think what we would do with $250,000 is the proper use of the talk page. Kilshin (talk) 17:07, 1 April 2009 (UTC)

How to get rid of it

I had conflicker on my computer but the virus scan enterprise seemed to make short work of that! It comes up on my screen as deleted so I don't know, I guess its been deleted. At the moment I think the best thing to do is to simply nout use a U.S.B. while on the internet. Esp. with sites like wikipedia, which probs is prime targets. Don't save pages off the internet, and if you notice its taking a long time to save a page like it was with me, it's probably because the computers infected. If the worm is stealing passwords, substitute emails and passwords ought to be used only. No purchases should be made on the internet (i.m.o). Refreshments (talk) 15:18, 19 March 2009 (UTC)

Whether or not you get this virus has nothing to do with what websites you visit, whether or not you save pages from websites, or how long it takes you to save pages. This virus is spread through a buffer overrun vulnerability, which means you could get it from anywhere, anytime, even if you aren't even in your web browser. Yes, portable storage devices are capable of carrying it. But not just any USB device - your keyboard and mouse are fine. If you are infected, don't log onto anything using any passwords or personal information, temporary substitutes or otherwise. If you are infected, do NOT enter any personal information into the computer, in ANY case - web purchase related or not.Coder0xff2 (talk) 03:12, 25 March 2009 (UTC)

April 1st activation

http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html Seems like it would be of major importance.--205.202.243.5 (talk) 13:27, 24 March 2009 (UTC) (Jakezing)

April Fool's Day? That would be interesting to watch because sometimes I get a feeling that the payload threat may be a planned joke. Whatever happens, keep up the citation search when the whatever developments surface [sic]. --Marianian (talk) 07:55, 31 March 2009 (UTC)

This information seems to have spread like the proverbial wildfire. Even with many major news organizations and the like reporting on this, I still cannot help but think there is something fishy about this date.

Ignoring the fact that April 1st bears the unfortunate and annoying tradition of April Fool's Day, it seems as though a lot of users have seen the effects of a so-called payload from this little bug.

There is also no mention of the date in the article itself, which would appear suspicious when you think of this information as such widespread "fact". - Evil oatmeal (talk) 20:02, 31 March 2009 (UTC)

April Fool's Day is mentioned right in the very first sentence. And the 6th paragraph. And the next one. And the second to last. ~ 68.36.101.128 (talk) 06:50, 1 April 2009 (UTC)

There is only one mention of the date in the article as far as I can tell. I still say this reminds me of the panic before Y2K, which had nowhere near the gruesome effects people "speculated" into existence ("My computer is going to explode!" "Toasters will try to kill you!" and so on). Now I'm not saying this thing is harmless, I'm just thinking that it might be wise to wait and see instead of making crazy assumptions about a payload that hasn't even been delivered yet. —Preceding unsigned comment added by Evil oatmeal (talk • contribs) 10:53, 1 April 2009 (UTC)

Conficker activated today and is awaiting instructions, so it did activate on April 1st, the only question now is what will it do Kilshin (talk) —Preceding undated comment added 17:01, 1 April 2009 (UTC).

How.. how can you contest that it only mentions the date once? I just pointed out four places. Is if really that hard to do a search for "April" to see where it is? :[ ~ 68.36.101.128 (talk) 21:43, 1 April 2009 (UTC)

A search for "April" within the text only yields two (previously one) results, one is "April 1st" and the other is "April 2nd" somewhere towards the end. But I was really just perplexed by the way the date was referencing news articles. The notes have been changed now to point to something else. - Evil oatmeal (talk) 13:37, 6 April 2009 (UTC)

Conficker versions

According to http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html and several other articles pulled up through news.google.com, we are currently on Conficker version C, which is the thrid release and behaves differently in some ways from Conficker.A. Conficker.C doesn't spread through the network like Conficker.A but makes Conficker harder to detect and remove from previous versions. Conficker.B was also released after the Microsoft patch. Some articles also suggest the new Conficker disables some anti-virus services. —Preceding unsigned comment added by Srvfan84 (talk • contribs) 15:09, 24 March 2009 (UTC)

And as I said above from the CNN article, it is set to activate April first. --205.202.243.5 (talk) 15:17, 24 March 2009 (UTC) (jakezing)

Analysis of Conficker

SRI International released this Technical Report, an analysis of variant C. [3]. If it has any new information, if may be pertinent. Sephiroth storm (talk) 04:41, 28 March 2009 (UTC)

Why can't it be disabled everywhere just by doing this?

The thing phones home on April 1. That IP address MUST be in the code somewhere. Even if it's encrypted, the decrypt code can be extracted and executed. If we know the IP, the FBI or INTERPOL or someone can go to that physical location and shut it down--maybe even catch the information cockroach who wrote it. You can find the physical location by (at very least) following the elecrtrical signal to the destination. If the IP is not yet active, then the backbone net could be instrumented to disable it when it becomes active, compute the physical location, and alert the cops.

In fact, why don't they just put a packet sniffer and datascope on the network cable in back of the machine amd set the PC's realtime clock to April 1?

What obvious factor am I missing here? All I can figure is that somehow the ee-ville Darkside asshole figured out a way for the program to generate the correct IP, but not allow a step-through debug to function. And I don;t see how that's possible in an FSM. TechnoFaye Kane 07:37, 28 March 2009 (UTC)

There is no IP address in the code. It'll generate random domain names, perform DNS lookups on them, and try to connect. The author only has to register one of 500,000 domain names at some date after April 1st, and the worm will find it. It also doesn't use the PC's clock to get the time - it uses the Date header of HTTP responses. Corsix (talk) 17:06, 28 March 2009 (UTC)

My understanding is that it has a list of 50,000 domains, many of which are already registered to legitimate companies. I believe strong encryption is used to encrypt this list as well as seeds to the algorithm that will pick out which ones to attempt to contact on April 1, 2009. So, it's not as simple as you suggest. And it will attempt to contact all from that list. —Preceding unsigned comment added by 67.188.222.12 (talk) 17:16, 28 March 2009 (UTC)

There is no static list at all. The pool of 50000 names is generated with a PRNG using the current date as a seed. This ensures that every copy of the worm generates the same names. The worm then uses the system random number generator to pick which 500 of those to try for that day.

The domain-generation algorithm has been reverse-engineered. Anti-malware groups regularly register some of these domain names and set up webservers on them to monitor the spread of the worm. That is where they get their population estimates from.

Encryption is used mainly to protect the payloads, which are signed with the authors' 4096-bit RSA private key. The worm carries a copy of the public key and will discard payloads which don't verify. This means that the worm cannot be hijacked by having one of those domains serve a self-destruct payload.

—78.46.104.168 (talk) 05:10, 30 March 2009 (UTC)

Corsix is right. It's a huge list--I believe ICANN has already started working on ensuring that none of those possible domain names will be allowed to be registered. It is not even close to as easy as getting IP addresses these days--if you haven't noticed yet, hackers/virus writers these days are ridiculously sophisticated and organized at these things. The guy(s) who wrote this almost certainly already have control over a botnet, or knows people who have control over a botnet. Chances are, they'll send a command over the botnet (chances are, the command hops over a couple of computers, maybe delayed, so that there's no feasible way to track where it originated from), which will tell a remote computer to register a domain name under a credit card # / ID that they stole from somewhere else and to set it up. Then, of course, the web server is hosted under another computer in the botnet. I'm fairly certain that it's not really possible to track them down without maybe reinfecting every computer that's part of a botnet and putting some reverse tracking code that spies on where commands come from. 131.215.166.97 (talk) 12:43, 29 March 2009 (UTC)

Wow, all of these IP users with knowledge. you all should create an account :p Sephiroth storm (talk) 12:00, 31 March 2009 (UTC)

Why are we even talking about this here? I thought talk pages are not forums. MuZemike 21:43, 31 March 2009 (UTC)

That seems kinda ironic-conficker is basically a giant botnet in and of itself now! I'm nervous to see what it's used for...and I actually hope to get a copy of it! I use linux, so my friend (who got infected) can give it to me safely. Maybe if people analyzed it more and learned in more detail what it does and how to prevent it, we wouldn't have as big a scare! Demosthenes2k8 (talk) 00:17, 2 April 2009 (UTC)

How To Remove Conficker

This article and almost every other news article I've seen all fail to give the reader a simple direct link to programs that can remove this virus. That's a pity. 24.16.88.14 (talk) 18:21, 31 March 2009 (UTC)

Sorry, but Wikipedia is not a how-to. MuZemike 21:41, 31 March 2009 (UTC)

We added step by step Conficker removal guide, over 25.000 visitors already seen that page and from that clicked 572 to avg.com/free live scan 366 and others. This is what we wrote today few hours ago [4] —Preceding unsigned comment added by Livecrunch (talk • contribs) 04:17, 1 April 2009 (UTC)

60 Minutes story

On March 22, 60 Minutes ran a story about this virus, led by Leslie Stahl. I've seen some websites critical of her reporting, but I think that being reported on 60 Minutes deserves a mention in the article. Rockingbeat (talk) 19:06, 31 March 2009 (UTC)

Just a heads up, someone just vandalized the main article page today, and I don't know how to report vandalism. Hopefully, if nobody's watching the actual page, people are watching the talk page... 66.192.63.2 (talk) 20:41, 31 March 2009 (UTC)

To report persisten vandals, use WP:AIV. However, to warn the vandals, go to history, click on the bugger's talk page and use the appropriate template here (if the link does not work, scroll down until you see a multicoloured table) Montgomery' 39 (talk) 20:01, 1 April 2009 (UTC)

will the Conficker virus be an computer killer type of virus

if i was an computer virus expert, i would keep an big close eye on this virus to see if it will destory the computer's programming/motherboard/cpu/memory from the inside like the older generations of computer virus---Boutitbenza 69 9 (talk) 22:50, 31 March 2009 (UTC)

So far, Conficker appears, to me, the AIDS of computer viruses... Regardless, is this leading to discussions on improvement of the article? If not, just remember that this isn't a discussion of Conficker itself. Just the article--Unionhawk (talk) 23:15, 31 March 2009 (UTC)

There is no virus that magically destroys your hardware. That's impossible. The design of the hardware in itself prevents that.74.251.42.193 (talk) 06:42, 1 April 2009 (UTC)

What they may be referring to is CIH? That wiped a part of BIOS, so to most users that would be effectively a destruction of the machine, although an actual physical one (like halt and catch fire, or poke of death), I don't know of any of those for modern x86 architecture Jinniuop (talk) —Preceding undated comment added 23:01, 2 April 2009 (UTC).

Well i heard it can over load the circuits —Preceding unsigned comment added by 67.52.248.218 (talk) 14:27, 3 April 2009 (UTC)

Theoreticly it makes sense, if something literally overloaded a computer to the point that it generated too much heat and caused a proble, but most computers have safety mechanism's to prevent damage to components in the case of heat issues. Sephiroth storm (talk) 14:40, 3 April 2009 (UTC)

Conficker April 1st Joke

Many lead to believe that Conficker is April 1st joke. By the way ficker in german means F****er. Livecrunch (talk) 04:31, 1 April 2009 (UTC)

Neither of my computers have been infected (at least not yet) and no one has been franticly screaming in the street (at least not yet), I am starting to think that this is a joke.--Duffy2032 (talk) 04:37, 1 April 2009 (UTC)

Well, people have most definitely been infected with Conficker. Whether it does anything... Honestly, I'm just waiting for 1000 pop up windows with Rick Rolls and "April Fools" in yellow font and flashing magenta background to pop up. -- 204.112.157.26 (talk) 06:43, 1 April 2009 (UTC)

"flashing magenta background" That gonna cause seizures. I wounder if u changed the date on your computer to April 2nd would it still activate? Kirbyroth(to lazy to sign in xD) 67.52.248.218 (talk) 14:29, 1 April 2009 (UTC)

Right now it may seem that all it is is some april 1st joke but all the effort the author of this virus put into it to make it hard to remove and how it updates I don't think that all its going to do is make a bunch of pop ups. Its possible that it is a joke but the effort that had to be put in to make the virus makes me think that it is for something it is possible that the virus is having trouble finding the update it needs to download. Another possibility is that this is a deliberate tactic if the author of the virus were to wait to update the virus until next week when no one cares and just think that it is a joke it would be a perfect way to catch people off guard. Codeman177 (talk) 14:17, 1 April 2009 (UTC)

Well, it's so far just making computers vunerable to other viruses... That's sometihng.--Unionhawk (talk) 16:01, 1 April 2009 (UTC)

Um, yah...according to MSNBC, the virus is real, but ET has not phoned home...yet...Also, changing the date will NOT work. Montgomery' 39 (talk) 19:58, 1 April 2009 (UTC)

yeah, I think it's safe to say this was all a joke. At least, the April 1 launch part...--Unionhawk (talk) 15:06, 3 April 2009 (UTC)

I don't think that its a joke it did update to make itself harder to remove and it also mad it harder to find the author although it didn't cause mayhem on the internet it is still out there waiting for an instruction from its author and that could be days, weeks, or even months until we see that. Yes it could be a joke and as it seems right now it is just a joke however if I had gone to the trouble of writing a virus that can disble all security features on a systems, block websites that could aid the user in removing the virus, and wrote a domain name generator that can generate 50,000 domains per day, I would not make it one big joke. I think that the author of this virus is just waiting until everyone has either forgot about the virus or moved on to a more concerning problem, like possibly the hole in powerpoint that they found today. Codeman177 (talk) 19:47, 3 April 2009 (UTC)

I just added that to the article. It may need a better source, but, you guys can handle that, right?--Unionhawk (talk) 20:03, 3 April 2009 (UTC)

Two external removed due to suspicion

Two external links were removed by me due to suspicion of being fooling pages which may lead one to malicious domains. I had entered one of the links and got directed to a very suspect domain. Fortunately Kaspersky removal tool didn't detect the virus, but I removed those links in order to protect Wikipedia users. Robfbms (talk) 04:58, 1 April 2009 (UTC)

You removed the one that helped people step by step removing the Conficker, but I do agree with the one that was confliker...com something, good catch! Livecrunch (talk) 07:31, 1 April 2009 (UTC)

conficker versus conflicker

Can someone tell me what is the right spelling? All sorts of outlets call it "conflicker" while some will go back and forth in the same article from conficker to conflicker 69.205.97.220 (talk) 18:22, 1 April 2009 (UTC)

I would assume (in part intentional?) misspelling since "ficker" means "f***er" in English.--The Magnificent Clean-keeper (talk) 18:29, 1 April 2009 (UTC)

And it's not "configure" + "ficken", it's "con" + "f*cker", the German thing is just part of the joke. This is a dumb April Fools' joke. The worst is that some major websites bought it... and a few of them are playing along. Ridiculous.

Well obviously not, considering that it had a nasty scare last year, and it's been talked about on hacking sites for a while now. This is a very real and dangerous threat. Demosthenes2k8 (talk) 00:22, 2 April 2009 (UTC)

If it is a joke, it's a highly sophisticated one.. encrypted payloads to protect against hijacking? inbuilt P2P like system? PRNG generated update mechanism? I was pretty amazed when I read about this virus, and I've read about a number before. It seems way too much effort for the end payload to just be some prank. Jinniuop (talk) —Preceding undated comment added 23:05, 2 April 2009 (UTC).

But... what on earth does it /do/?

The article tells me that this worm is an ace at propagating/protecting itself, but what the heck is its mission? The article seems to say nothing about the actual damage it does (other than the incidental [to propagate/protect itself] opening of security holes etc). Does it trash data? Or send spam? Or ddos? Or spy? Or phish-host? Or clickbot? Or what?
Also, the article says it downloads binaries ("payloads" eh?), but doesn't say anything about what it does with those. Someone fix it please. -- Fullstop (talk) 21:38, 1 April 2009 (UTC)

So far it simply seems to be a dangerous annoyance; it disables/prevents anti-spyware/virus programs and/or Windows components. Yes, it does seem extremely sophisticated in how it protects & spreads itself. No one knows what its true purpose is, but I presume it's going to be impressive when the real payload hits. - insidious420 —Preceding unsigned comment added by 208.207.43.2 (talk) 21:59, 1 April 2009 (UTC)

My understanding (which is rudimentary at best) from reading this article, it's references, and other various sources is that the worm is an attempt to "move" or "create" domain names. Meaning, that if you had a domain called IamBill.com, it could move that domain to something like 157A83.com. It appears that not much happened over the April 1 date, but apparently many techs are still concerned over the future abilities of this virus/worm. Mainstream media are reporting a summary which mirrors this, but often they lack the technical knowledge to define a situation like this in accurate detail. I hope that helps — Ched :  Yes?   : ©  08:19, 2 April 2009 (UTC) (worries about WP:NOTFORUM for this thread.)

I think your understanding of it is wrong. It does change some domains resolution as part of it's host blocking, but that doesn't effect the real domain, it's just an effect on your machine to stop you being able to fix it. No-one knows what it will actually do yet, but if past viruses are anything to go by, it could be somethings like... a) setting up servers on your machine to host content for criminal gangs b) sending spam from your machine c) attacking a foreign governments infrastructure (although we don't even know who is 'foreign' at this stage d) making pop-ups or such to try and sell you fake software e) all of the above. That's really just speculation based on past ones I know, but with one this complex it is likely to be used for some criminal commerical gain, or some political aim. I agree that this is becoming a little forum like, but I do think it's an important question that should be addressed, I think we should try and find some reliable source making such speculations, and then in the article say "It has been speculated by X based on prior experience that the virus could be used for Y", so that people have an idea of what kind of things these programs do. Jinniuop (talk)

in case you guys are interested - there's a complete analysis of the A and B variants of the worm Here: http://mtc.sri.com/Conficker/ and variant C here: http://mtc.sri.com/Conficker/addendumC/ basically it does nothing except update itself at the moment - although it has the potential to do quite a bit, it is not currently doing anything very malicious at all. Whitehatnetizen (talk) 15:09, 3 April 2009 (UTC)

First thanks to both Whitehatnetizen and Jinniuop. Those resources can definitely help improve the article. I guess if we/they catch him/her/them before it gets updated with something really nasty, it'll just be a footnote in virus history. The "Security Product Terminator Thread" is probably the one that concerns me the most. I also agree that my understanding of the domains was wrong, and Jinniuop is much more accurate with the DNS redirect points. Hopefully these two sri.com resources can help improve the article. Thanks to all. — Ched :  Yes?   : ©  15:30, 3 April 2009 (UTC)

Sephiroth also mentioned the C-variant link here http://en.wikipedia.org/wiki/Talk:Conficker#Analysis_of_Conficker I didn't see that before posting the previous paragraph Whitehatnetizen (talk) 15:41, 3 April 2009 (UTC)

Originally, the worm was scheduled to download a payload from trafficconverter.biz after 1 December 2008. That site was run by a Ukranian outfit called Baka Software, and was used to organize a lucrative pay-per-install affiliate program for Antivirus XP, a scareware product.[5] The payload URL looked like an executable installer for this product, and the millions of infected computers would have been a huge bonanza for them.[6] But, as it were, the site was shut down in late November[7] and the worm missed its rendezvous. —Nailbiter (talk) 18:19, 3 April 2009 (UTC)

As I was reading through everyone's comments, what struck me was how intelligently made this program was, which made me think of scareware like Micro Antivirus(AV) 2009/Privacy Protector/Error Cleaner/Vista AV Security Package, Antivirus 2009, PC Antispyware, Spyware Remover,MS Antivirus, PC HealthCenter, Virus Remover 2008, Kvm Secure, and others. Groups like these put in enough time and effort to fool lots of people into allowing their software onto their computers. Some people even downloaded these programs from rogue websites, and paid for it! The graphics are designed to look professional and resemble Microsoft products; the spread via social engineering shows cunning and an understanding of psychology; the viruses, worms and trojans involved in it are sophisticated (enough to thwart an armchair security analyst like me) and require software designed to neutralize (like Malwarebytes' Anti-malware); the worm can disable programs that might kill it (such as Anti-malware, utility kits and antivirus programs) or work around them; etc. I've read briefs and articles about the worm, including from Microsoft, McAfee, Symantec, newspapers and other sources, yet none of them state the ultimate effect, aside from being blocked from antivirus websites, protection via Windows Defender, updates from Microsoft, etc. These are relatively minor effects, albeit irritating.

So, what's the end goal of the group/author? Anarchy? A well-planned shot at the poorly written Microsoft Windows series? Creating a super-network of computers for illegal data collection? The fulfillment of some sort of political/religious agenda? Specific targets (governmental/military/educational/etc.) being acquired during the random spread of this virus so their servers could be ransacked/hijacked? Something else? Perhaps this is just a stage in a series of developments that will be mutated when the virus is considered ready (because of how many computers are infected, or which computers are infected?) by the author(s). It may be that this is the gateway to another stage that will also frustrate security analysts because it will be delivered via the current platform, be encrypted, and equally difficult - but have a much worse effect that end-users will notice (much like scareware that forces users to seek the paid version). I am inclined to think this is more than just a casual project with no real agenda behind it - or else someone is REALLY bored!

This is exactly what I'm looking for: "No one knows what the worm was really created to do because it's encrypted. Thus far, the effects to end-users seems negligible" Why isn't this stated in the article?ReveurGAM (talk) 11:18, 6 April 2009 (UTC)

You're getting several terms mixed up here. The worm is only encrypted and signed when in transit as a payload. It has to be decrypted and unpacked into machine code for execution. You might mean that the worm's code is heavily obfuscated. But that is a separate issue to whether the purpose of the worm is clear or not. In any case, obfuscation has not stopped researchers from patiently picking apart the worm code path by code path and coming up with some thorough analyses.

The clearest (but by no means certain) indication so far of the worm's purpose was variant A's attempt to download an executable from the site distributing the Antivirus XP scareware product. That particular scareware scheme is already very lucrative: it was revealed that one of the affiliates on that site had made $140000 USD in a single month as commission on registrations of just 2700 users.[8] If the worm had made its rendezvous, that would have been just pocket change.

—Nailbiter (talk) 16:18, 6 April 2009 (UTC)

Find a source for it. Sephiroth storm (talk) 11:25, 6 April 2009 (UTC)

ReveurGam - it's not the fact that "it's encrypted" that no one knows what its end-goal is. it's the fact that currently it does nothing except update itself. everytime it updates itself the "good-guys" reverse engineer it again to see what it does now. as soon as it updates to actually do something else, we'll know about it. Whitehatnetizen (talk) 12:15, 6 April 2009 (UTC)

Well, clearly then my understanding of the impact of the encryption on the research is flawed. I did also read that the coding is very elaborate to make it obfuscated. Anyways, I heard that bit about what Conficker does to download the scareware, and I saw here the mention of the spambot. Just another high quality attempt to get more money from victims. And it works, judging from what Nailbiter mentioned!ReveurGAM (talk) 05:14, 13 April 2009 (UTC)

Neeris

I don't know if this should be mentioned in the article but a new version of the Neeris worm was found to exploit the same hole in windows and uses a similar method of infecting computers through the auto run function. The first version of the virus was found in 2005 but the new version was found april 1st the same day as conficker's "activation" though that is believed to be coincidence. Some believe that the two virus authors may be working together as conficker copies parts of neeris and the new version of neeris copies the parts of conficker. If anyone thinks that this sould be added into the article I can get the sources Codeman177 (talk) 21:06, 6 April 2009 (UTC)

Include, Provided Sources - Absolutely. If you can get a good source that says this, then go ahead and include it. Provided a good source, of course.--Unionhawk (talk) 21:14, 6 April 2009 (UTC)

I found article in the microsoft malware protection center blog which i would consider a good source also should it be added into its own section on the article. Codeman177 (talk) 22:04, 6 April 2009 (UTC)

Neither the MS08-067 or AutoRun vectors are unique to Conficker. In fact, there's often a surge in malware targeting a particular vulnerability after it is revealed[9], with many different malware authors racing to code up a working exploit before the vulnerability is patched. For those in a hurry, a Chinese kit for MS08-067 was also available in November last year for just $37.80 USD.[10] So, it's not a good idea to hypothesize common authorship of the two worms based on use of similar vulnerabilities. It's also not a good idea to say that one worm "copies" the other, because that implies that they share actual machine code.

—Nailbiter (talk) 12:44, 7 April 2009 (UTC)

Vandalism

Just putting out there, someone has been changing the technical name to : how to fuck a girl ha hahaha etc. I don't know what the technial name is, but i deleted the vandalism, If someone could re-add the info, It would be appreciated. 72.45.118.204 (talk) 01:29, 7 April 2009 (UTC)

There never was a Technical name for it in the article, and I don't know what it could be, so, I think you're good.--Unionhawk ^{Talk Review} 12:03, 7 April 2009 (UTC)

Activity?

Is there any info on the purpose of this worm, e.g. what actions (spamming, D.O.S. etc., but *not* the update routine) it has been / is used for? 91.11.224.146 (talk) 22:31, 9 April 2009 (UTC)

seems like it is turning out to be just a standard spam-bot/keylogger, dissapointing really: http://blogs.zdnet.com/BTL/?p=16082&tag=nl.e589 Whitehatnetizen (talk) 11:51, 10 April 2009 (UTC)

There's also news that it installs fake anti-virus software: http://news.cnet.com/8301-1009_3-10217386-83.html 91.11.224.127 (talk) 16:25, 11 April 2009 (UTC)

Information Conflict

Under section Initial infection, there is information that conflicts with the chart preceding it. The chart states (with sources) that variants B and C run a dictionary attack on ADMIN$ shares, while the Initial infection section claims that Conficker B/C runs a brute force attack. These two methods of testing possible passwords are similar in nature but have drastically different effects on overall computer performance, effectiveness, and time-to-completion. Seeing as Conficker's creators seem to have put emphasis on stealth, my best guess is that a dictionary attack is used. In addition, only the dictionary attack method is cited. I cannot yet edit the page, as I am not auto-confirmed, but if someone could sort out the discrepancy at their leisure, I would really appreciate it.

Thanks,
Zenexer (talk) 23:17, 10 April 2009 (UTC)

Task manager

Being fairly sure that the Home PC was infected by this, is the disabling of task manager also a symptom? MMetro (talk) 20:25, 12 April 2009 (UTC)

AVG on-demand does not remove this worm

This is just a personal anecdote, but AVG's on-demand scan did not remove this worm from my computer (as the article states it does). Its passive shield, however, was able to detect it. A minor point, and maybe just user error, but still, can someone in the know double-check this? I am skeptical. --210.248.139.35 (talk) 06:26, 13 April 2009 (UTC)

This is not a forum. You should only discuss something relevant to the article here. Relevant being like suggested changes, additions, corrections, and such. General discussion like this is not meant here. JeremyWJ (talk) 06:30, 13 April 2009 (UTC)

First Conficker

Last September (possibly on August or October can't remember the right month) I caught a worm almost exactly the same as the Conficker. The only possible difference (could have been another worm/virus) was that it blocked access to "my computer" when I tried to access it from the desktop. Is it possible that it was one of the first Confickers made? And if someone wants to study it then I still have it on a memory stick, but I'm afraid you will have to get it from me or tell me how to extract it from the stick, because I'm using a Linux nowadays. Skele (talk) 21:04, 16 April 2009 (UTC)