• Services
• Get Help
• Accounts
• Computer Labs
• Software
• Training
• Network
• Hardware Purchases & Repair
• Information Systems Applications
• Information
• Alerts & News
• Security
• Policies & Standards
• Forms
• About Information Technology
• IT Planning
• Staff
• Organizational Chart

Conficker Worm Information

On March 29th, the CBS 60 Minutes television show broadcast a segment entitled, "The Internet is Infected". You can view the segment here: http://www.cbsnews.com/video/watch/?id=4901282n

A Windows computer worm called Conficker has infected millions of computers. It is scheduled to update itself and change its behavior on April 1st. This has led to a lot of press coverage and speculation. This page contains information about the worm and the show.

• Are millions of computers infected?
• Is my computer infected?
• How do I prevent my computer from becoming infected with Confiker?
• What will Conficker do on April 1?
• Can I get infected by clicking a link in Facebook as shown 60 Minutes?
• Can criminals do all the things described on the show such as reading my passwords and tracking my web browser without my knowing it?
• The show seemed to indicate that computers and bank accounts can be broken into even with security software. Is this true?

Are millions of computers infected?

Yes. But not just by Conficker and not just lately. Computer infections allowing control by criminals have been a problem for some time. There have been large networks of infected computers in the past.

Is my computer infected?

Hard to say as each malicious program works somewhat differently. One thing that Conficker does is try to block you from browsing to various web sites you might visit to get security updates or information.

Open a web browser and attempt to visit the following web sites:

• http://windowsupdate.microsoft.com
• http://www.symantec.com

If you are able to reach those sites, your computer is probably not infected with Conficker. If you are unable to reach those two sites but are able to reach most other Internet sites, your computer is probably infected with something and you should log a JMU Computing HelpDesk call by sending email to helpdesk@jmu.edu.

Windows computers that have been installing automatic updates from the Microsoft or JMU WSUS servers and that run the JMU provided Symantec anti-virus software are unlikely to be infected with Conficker. All IT managed computers connected to the IT domain have these updates automatically applied.

If there is any doubt:

1. Verify you have all the latest Microsoft updates from the Microsoft update site.
2. Download and run a Conficker removal tool. Click here to download Symantec's tool and double click it once it is on your desktop. You need to be using an Administrator account or use RUNAS to run the tool. Full instructions can be found here. Note: Symantec named the worm Downadup instead of Conficker.

There have been four devices on the JMU network reported to be infected with Conficker. Two were infected USB drives. We also received a report from an off-campus agency who reported that two student wireless addresses were infected. We have been unable to substantiate that report as it did not include time and date information needed to identify the computer(s) attached to the wireless network.

How do I prevent my computer from becoming infected with Confiker?

The same ways used to prevent other infections and that are described in the JMU StartSafe recommendations. To summarize:

Stay up to date with Microsoft updates. The primary infection vector for Conficker is through a defect Microsoft patched last Fall. JMU IT managed computers in the IT domain are updated automatically.

Be careful about plugging USB devices into your computer or allowing others to do so. If they have been plugged into an infected computer, they can spread the infection to your computer. On Windows computers, hold down the shift key and keep it held down until you're told the device is ready. That will keep the autorun function from starting and infecting your computer.

USB devices that can be infected or carry infections include anything that can store files including cameras, picture frames, external USB drives, and USB keys.

Conficker is just one of many malicious programs that spread through USB devices. Operating the computer with a regular user account for day to day use rather than an administrative account can help minimize the damage caused by USB infection vectors as well as many, many others. It will stop most of today's infections.

Enable your firewall. This will keep Conficker and other network scanning worms from exploiting a defect or getting access to an inadvertent share. All new computers come with their firewall enabled so unless you disabled it, it should be enabled. Instructions on enabling it it can be found on the StartSafe site. JMU IT managed computers in the IT domain have their firewalls enabled by default.

Download and install JMU provided Symantec anti-virus software. Although anti-virus software will detect and stop current versions of Conficker from running, all anti-virus software is always playing catch-up. New malicious programs are released daily and it takes time for the anti-virus software to be updated to detect them. Sometimes days or weeks. Sometimes never. That is why the other measures are so important. Anti-virus software is a last ditch security effort that might protect you when everything else has failed. It should never be relied upon as a primary protective measure nor be the only factor in deciding if something is safe to download.

Use strong passwords. Another Conficker infection vector is through weak passwords on Windows file shares. Risk can be further reduced by making all file shares read-only.

Although Conficker does not presently infect computers through third party software such as Adobe Reader or QuickTime, it is very important that such software be kept up to date with regular patches to prevent infection by similar malicious programs. Links to patches for some of the more common software can be found on the JMU critical security updates pages. If you install it, you're responsible for keeping it up to date. JMU IT managed computers in the IT domain have some of these software updates applied automatically and the number of supported product updates continues to grow.

What will Conficker do on April 1?

On April 1st, Conficker will change the way it communicates. That is all anyone knows. It has changed this way in the past. There has been speculation that Conficker will also stage some sort of attack on April 1st but there is no evidence to support that. Nor is there evidence to support that it won't.

Conficker has had the potential to be used by criminals to stage attacks since it started infecting computers last Fall. The same is true of lots of other malicious programs going back several years. Nobody can say what a criminal will do with a weapon nor when they will do it.

The JMU network is monitored for abuse and anomalies just like most networks are and we will react to events as they happen.

Can I get infected by clicking a link in Facebook as shown 60 Minutes?

You can get infected by clicking a link anywhere if your computer has not been maintained properly.

A computer set up according to JMU StartSafe recommendations and operated according to JMU RUNSAFE recommendations is at much less risk, particularly if it uses the optional step of using a regular user account for day to day use.

The most common way we've seen that a computer is instantly infected when a link is clicked is through out of date third party software such as Adobe Reader, Adobe Flash, or QuickTime. Security updates for common third party software that might be exploited this way can be found on the JMU critical update pages.

Of course if you click a link and then install an unknown download, you can infect yourself. For example, by installing the electronic greeting card (e.g. e-card.exe), fake anti virus software (e.g. AntiVirus2009), fake Adobe update (e.g. adobe_update.exe), fake video codec (codec.exe), and similar malicious tricks currently circulating.

Can criminals do all the things described on the show such as reading my passwords and tracking my web browser without my knowing it?

Yes, if your computer is infected or you run the criminal's software (which infects your computer).

The show seemed to indicate that computers and bank accounts can be broken into even with security software. Is this true?

Yes and no.

First, as most people know, many accounts are compromised when people give criminals their passwords in response to a "phishing" message. And once an account is compromised, there may be ways a criminal can get back in to the account even if the password is changed. For example, by using the "secret question" or email address used when a password is forgotten. Security software on your computer won't prevent you giving your password away or a criminal from using it on your bank account.

Second, the way the computer is operated and maintained is at least as important as any added security software if not more so. For example, installing software updates regularly is probably more important than anything else in preventing an infection. That is followed closely by being careful what you download and the decisions you make. No security software can prevent you from bypassing or ignoring your computer's security software should you choose, or be convinced, to do so. Operating the computer with a regular user account will prevent most of today's infections and helps minimize the effects of mistakes.

Third, the term "security software" is vague. Different types of security software protect against different threats. Having the right combination of security software, computer maintenance, and everyday care in use is necessary to combat today's internet threats. No one thing standing by itself is sufficient these days.

Finally, if a computer becomes infected, cleanup and recovery is very difficult. Once a computer is infected, the malicious programs have control over the security software and everything else on the compotuer. The only way to be sure your computer is clean is to format and re-install it. If you use automated removal tools or manual removal instructions, you're taking a chance the computer is not completely back under your control. Today's malicious programs change too much and give criminals too much control to rely on simple instructions or signature based tools if sensitive data is involved. You may clean up only to find your account or computer abused again.

---

Though the Internet will never be risk free, following StartSafe setup recommendations and RUNSAFE operating recommendations will reduce risk considerably. As criminals learn how to leverage the Internet even more, you'll be exposed to ever increasing numbers of threats whose sophistication will continue to improve. You'll need to take more protective measures and operate more conservatively than in the past to reduce risk to an acceptable level. StartSafe now. RUNSAFE today.