The Download Blog

Researchers have discovered another feature of the Conficker worm that provides an additional clue about the intent of the creators--the worm installs malware that masquerades as antivirus software, Trend Micro said on Friday.

The worm, which has infected millions of Windows-based computers on the Internet, is downloading a program called Spyware Protect 2009 and displaying warning messages saying that the computer is infected and offering to clean it up for $49.95, according to the Trend Micro blog.

If you see this pop-up message, chances are your computer is infected with Conficker. The latest feature of the widespread worm is that it installs fake antivirus software on infected machines.

(Credit: Trend Micro)

The infection alerts repeatedly appear and experts are worried that people may be clicking on them and paying for the software just to be rid of the annoying messages, thereby handing thieves their credit card information.

The fake antivirus program also attempts to install a Trojan downloader that is programmed to download new versions of Spyware Protect 2009, according to Kasperky Lab's blog. However, the domain the Trojan downloader was being accessed from has been shut down, the blog said.

The fake antivirus feature further bolsters the speculation that the motivation behind the worm is to make money and not a desire to disrupt computer or network operations.

Researchers were still analyzing new component code of the worm that began being spread via peer-to-peer and being downloaded off domains that host the Waledec worm on Wednesday but were finding the task difficult because the instructions are encrypted.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.

Despite all the news the worm has made, many computers still remain unpatched, Sophos said. Of the number of people who have used Sophos' free endpoint assessment test to check the security risk of a network since the beginning of the year, 11 percent did not have the Microsoft patch installed, according to Graham Cluley's blog at Sophos.

For the month of March, 10 percent of all of the people who used the Sophos assessment tool were missing the patch, he said. The company did not divulge exactly how many people had used the tool and Cluley said the statistics cannot be extrapolated to represent the number of unpatched systems on the Internet.

In an indication of infection rates, IBM's Internet Security Systems group released statistics that show that the number of unique IPs infected with Conficker.C is increasing slightly.

Based on infections seen through monitoring devices in its IBM ISS' Managed Security Services, the number has grown from just over 64,000 on April 2 to more than 71,000 on April 8, according to the unit's Frequency X blog.

"We've seen around 11 percent more unique IPs in the past few days in comparison to a week ago," the blog said, also adding that the number doesn't necessarily indicate the scope of worldwide Conficker infection.

Nearly 60 percent of the infections monitored by IBM ISS are in Asia, followed by 18 percent each in Europe and South America, and 4 percent in North America, the statistics show. By country, China leads with 16.6 percent, followed by Brazil at 10.8 percent, Russia at 10.2 percent and Korea at 4.6 percent, according to ISS.

To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.

In the wake of the Conficker worm, we dug into our research vault, known as the Web, and ferreted out the five deadliest computer viruses/worms of all time. Turns out all we needed to do was read the London Times. And all they needed to do was ask a security company.

Watch the video, then come back here and answer the trivia question. If you are one of the first 10 people to get it right, you have a chance to win the fleece. Best of luck!

P.S. If these five PC viruses give you the chills, check out our favorite freeware antivirus and other security picks in CNET Download.com's Security Starter Kit.

UPDATED on Thursday, April 9 at 12:30 p.m.: The original link to the eye chart broke, but a new, working one has replaced it.

April Fools' Day passed with much angst over and little action from the Conficker worm, but that doesn't mean it's not a threat.

Click on the image to be taken to the live eye chart.

(Credit: Screenshot by Seth Rosenblatt/CNET)

Joe Stewart from SecureWorks has put together an effective "eye chart" that sources its graphics from sites that Conficker would block. Click here to test the eye chart. If you can't see one or more of the images, you're either infected, or image loading in your browser has been disabled.

Firefox users can check if image loading has been disabled under Tools/Options and the Content tab. Load Images Automatically should be checked. Internet Explorer users will find it under Tools/Internet Options, then the Advanced tab. Scroll down to Multimedia, and Show Pictures should be checked.

It's a test based on the fact that Conficker blocks legitimate security Web sites. The logos are sourced remotely, so if they can't load, the sites are also likely to be blocked. If you're seeing blocked images, you should check out the CNET guide to removing Conficker--just because the botnet hasn't done much that's demonstrably malicious yet doesn't mean it can't or won't in the future.

Let's assume you're on the receiving end of the worst April Fool's Day joke of 2009: your computer's been infected with the Conficker virus. It's a frustrating but not insurmountable problem. This guide will walk you through how to cleanse your computer and inoculate against other Conficker variants.

First off, make sure that you are actually infected. There aren't many warning signs, but a few will stand out if you know what to look for. One fast way to check is to try to visit any major security software publisher's Web site. If you've cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira, or AVG, you're clean because Conficker blocks access to them.

Another good litmus test is to check on the status and functionality of Windows services such as Automatic Updates, the Background Intelligent Transfer Service, Windows Defender, and Error Reporting Services. If any of those have been disabled without your consent, or if your account lockout policies have changed without approval, you might be infected. Other warning signs include unusually high traffic on your local area network, and domain controllers responding slowly to client requests.

If you're running an up-to-date virus scanner, it's unlikely you'll get infected unless you've configured your computer to not receive automatic Windows updates. Checking your list of installed updates for security update MS08-067 (KB 958644) is not recommended because the worm, alternatively known as Kido, Downup, or Downadup, fakes the patch job.

A worm that spreads via removable devices, network shares, and weak administrator passwords--in addition to exploiting a critical Windows vulnerability--is spreading so fast it is becoming an epidemic, a security researcher said on Thursday.

The worm, known as Kido, Conficker, or Downadup, initially exploited MS08-067, a vulnerability considered critical for Windows 2000, XP, and Server 2003. It was patched in October.

Newer variants have been configured to give the worm the ability to infect via other means to get onto the network, said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.

"The Kido authors are trying to get into these networks by infected removable devices and by using other Trojans to install Kido on a computer, which will then try to infect other machines on the local network," he said in an e-mail statement. The worm "is currently causing an epidemic."

An estimated 3.5 million computers are believed to be infected with the worm, ZDNet reports.