Questions and Answers: Conficker and April 1st

Now on the Internet, there are a lot of rumors about the fact that something terrible will happen on the first of April. Conficker (Downadup, Kido) will begin to use the new domain definition algorithm for sending updates, so many come up with all kinds of fictions, right up to the “end of the Internet.” Some comrades even advise you not to go online on April 1st.
Yesterday, our guys posted an FAQ about this on the F-Secure blog, and here I give a translation of it. Read to not panic and know exactly what will happen on April 1st.

Q: I heard that something very, very bad will happen to the Internet on April 1. So is it
A: No, not really.

Q: Seriously, the Conficker worm will start doing something bad on April 1st, right?
A: Conficker aka Downadup will slightly change its algorithm of work, but this will hardly lead to any visible changes on April 1st .
')
Q: So what will happen on April 1st?
A: Now Conficker generates 250 different domain names every day and tries to download an update program from them and run it. On April 1, the newest version of Conficker will begin to choose 500 out of 50,000 domains every day for the same purpose — downloading and launching files.

Q: Latest version? There are several different versions of chtoli?
A: Yes, and the latest version is not the most common now. Most infected computers are now infected with version B, which began to spread in January. And in the behavior of this option B, nothing will change.

Q: I just checked that my Windows machine is not infected. Anything happen to my computer on April 1st?
A: No!

Q: I have a Mac, will anything happen to my computer?
A: No!

Q: So, this means that hackers will be able to use this new channel to download and run any program on all machines?
A: Yes, on all machines that are infected with the latest version of the worm.


Q: But what is this peer-to-peer download functionality that I heard about?
A: The worm has peer-to-peer functionality, which means that infected computers can communicate with each other without the need for a server. This allows the worm to update itself even without registering one of the 250 or 50,000 domains.

Q: But doesn’t it mean that if the “bad guys” wanted to run something on infected machines, they wouldn’t have to wait until April 1st?
A: Yes! And this is another reason why it is unlikely that something bad will happen on April 1st.

Q: Will there be a serious HYIP in the media?
A: Oh, yes! As always, when some widespread worm has a trigger date. Recall the cases of Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).

Q: But in those cases nothing special happened, despite the fact that everyone expected something to happen!
A: Exactly!

Q: So, should I turn off and turn off my computer on April 1?
A: No. But you should check and be sure that your computer is not infected.

Q: Can I just change the date on my computer and thereby protect myself?
A: No, of course. The worm uses local time for several of its functions, but it does not rely ONLY on time on your computer.

Q: I am confused. How can you be sure in advance that there will not be a global virus attack on April 1st? You must be hiding something!
A: Yes, you are confused. There will be no “global virus attack”. Machines that are ALREADY infected can start doing something new on April 1. We know this because we have studied the code of the worm and we can see that this is exactly what it is programmed for.

Q: Will the program downloaded by the worm run with administrator privileges?
A: Yes, with local administrator rights. Which is very bad!

Q: And this worm can download the update not only on April 1st, but any day after that?
A: Exactly. So there is no reason why they will not be able to do this, say, on April 5, and not on the 1st.

Q: OK, they can run the program on the infected computer. But why? What will this program do?
A: We do not know what they are planning to do, if they plan at all. Of course, they can steal your data, send spam from your computer, make DDOS attacks on other computers and servers, and so on. But we do not know what exactly they are going to do next.

Q: They? Who are they? Who made this worm?
A: And we don't know that either. But they look very professional judging by what they do.

Q: Professionally? Is it true that Conficker uses the MD6 hash algorithm ?
A: Yes. This is probably the first program that uses this new algorithm!

Q: Why you yourself can not infect your computer, set the clock on April 1 and check what will happen?
A: Because it will not work that way. The worm connects to some websites to find out today's date and time.

Q: Really? Then turn off these sites and the problem will disappear!
A: We can not. These are sites like google.com, yahoo.com and facebook.com.

Q: No, seriously, you can raise your google.com in your lab, install it on April 1 and check it out!
A: We can. But sites from which the worm will try to download something on April 1st have nothing now! They may have something on April 1st. And may not have.

Q: Now I'm excited. How do I know that I am infected?
A: Try to go to www.f-secure.com . If you are unable to access our site, then you are probably infected because Downadup / Conficker blocks access to the sites of antivirus companies. Do not tell anyone, but those who can not go to f-secure.com because of the virus, can go to the special. mirror www.fsecure.com .

Q: Where did the name "Conficker" come from?
A: Conficker is a kind of anagram from the word trafficconverter - the site to which the first version of the worm connected .

Q: Why does the worm have several names - Downadup, Conficker, Kido?
A: The virus was found at about the same time by several anti-virus companies and in each of them it was named after itself. Now most companies use the name Conficker. But even now the confusion with the name of the new modifications between the companies continues. We all regret this.

Q: How many computers are infected with the Downadup / Conficker worm?
A: About 1-2 million. How many of them are infected with the latest version? We do not know the exact figure.

Q: How does the antivirus industry respond to all this?
A: We responded by creating the Conficker Working Group . The group includes representatives of antivirus manufacturers (including us), registrars, researchers, etc.

Q: I want to know more technical details about the worm.
A: Of course. Here is our description (eng) , and here is a great description (eng) . And here is my description in Russian .

Q: When was the first version of Downadup / Conficker discovered?
A: It was found on November 20, 2008.

Q: More than 4 months ago? I want to see the timeline of what happened during these 4 months.
A: Byron Acohido wrote about it .

Q: Can an antivirus from F-Secure detect and cure this worm?
A: Of course.

Q: Do you have a special program for treating a worm ??
A: Yes, and it is free. Download it from here .

Q: Are you going to continue to monitor this further?
A: Yes. Stay with us and wait for new information.