http://blogs.zdnet.com/hardware/?p=4053 "The "no bull" guide to Conficker"

http://onecare.live.com/standard/en-us/virusenc/virusencinfo.htm?VirusName=Worm:Win32/Conficker.B
http://blogs.zdnet.com/security/?p=3043&tag=rbxccnbzd1
http://mtc.sri.com/Conficker/

http://countermeasures.trendmicro.eu/poisoned-downadconficker-removal-searches/

http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker.B and manual removal instructions
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10564800

SAN FRANCISCO - The Conficker internet worm's feared April Fools' Day throwdown for control of millions of infected PCs stirred lots of panic but came and went with a whimper.

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Oops.....hey admins.......could you change the title of this thread.....take out "tomorrow" so it just says April 1st? Thanks

Spodo....I wondered the same thing about the time zones and such. Right now it's 10:36 am here and hubby and I both are up and running with no problems.....althugh he did have an unrecognized item pop up and ask permission to connect to the internet. He told it "no" and everything seems ok. We both ran Bit Defender's scan and were clean.

Hope everyone else survives it too.

Hi SpodoCommodo,

You're right, that wouldn't be hard to implement. However, I based my post on something I read earlier today, i.e. that it has been coded simply to trigger when the date changes to April 1st.

You can read this for yourself by following this link:

http://uk.news.yahoo.com/18/20090401/twl-conficker-worm-digs-in-around-the-wo-2802f3e.html

I then did further research on the Trend Micro and Symantic websites that appears to support the above news item.

In the meantime, here in the UK it has turned 12 noon, and all is still well (well, I had already run a number of checks, just to be safe) with my PC.

But a PC also stores the time zone so that a simple bit of arithmetic could synchronise attacks around the world.

And it's still not 1200GMT as I'm typing this...

Hi SpodoCommodo,

This attack is triggered by the system clock inside your PC; therefore, once the date hits April 1st in one's time zone, the malware kicks in. This means that the infection will spread across the globe like a "Mexican Wave". Not good.

By the way, this is not a hoax or an April Fool's prank; this appears to be a well publicised and documented piece of malware.
Interestingly, this kind of zombie network polls certain servers in order to obtain commands for doing various dastardly deeds. Apparantly no malicious commands have been issued yet???

One thing I wonder with this sort of attack is whether it happens around the world at the same time (e.g. 1200 GMT) or does it get triggered when the local date changes to April 1st i.e. separately in each time zone, like a wave gradually encompassing the world?

The reason for wondering about this is that it's currently 0645 GMT here and nothing has happened yet, so does that mean I'm completely safe or will it all kick off in a few hours time?

I did a scan with an item from bitdefender yesterday.

Came up -ve.

Whoa... that IS a long one Buckleysmom! I followed a link in an Internet news story and ran a Microsoft product (think it was Malicious Software Remover) which deemed I didn't have the virus and am protected from it as long as I keep my virus programs on, which they always are. But thanks for the reminder and warning. I guess it can cause the most havoc in larger businesses that have a lot of email activity. But I might follow your steps also.

This is long but it's all from an email I received.....

This is one nasty virus, probably the worst yet. Even the best anti-virus protection may fail to protect your computer. Wisely, take nothing for granted. Should your computer become infected you will not be able to control access to the internet to get help.

This well known commercial anti-virus company is providing a free removal tool for download in advance of this Wednesday. Should your machine become infected you can use this to remove it. Save it to your desktop so you can find it easily.
From this site:

http://www.bdtools.net/

"Remove Downadup from infected computers

Downadup (or Conficker) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.

BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.

The new version is more resilient to disinfection. Once the system is compromised, the worm disables Windows Update and blocks access to most of the anti-virus websites in order to hinder the user to disinfect his machine.

BitDefender is the first to offer a free tool which disinfects all versions of Downadup. This domain is the first to serve a removal tool without being blocked by the e-threat."

"How to use the removal tools:

Home Users

1.Just download the removal tool (.zip file - 2.2MB), double click on it, chose "Extract all files..." from the File menu, and follow the wizard's instructions. You can use any other archiver, like WinZip. This will create a folder called bd_rem_tool.

2.Inside it, find the program called "bd_rem_tool_gui.exe" (or just "bd_rem_tool_gui") and double click on it. It is very important to extract all the files from the zip archive, and not only bd_rem_tool_gui.exe, because all the other files are needed for the disinfection. Then follow the tool's instructions.

3.If you have Windows Vista with User Acccess Control enabled, or if you are running as a restricted user in Windows XP, right click the "bd_rem_tool_gui" program and choose "Run as Administrator". You will be prompted to enter credentials for an admin account.

4.We recommend a system reboot after the disinfection is complete, to restore full internet access.

Additional information:

How to update your PC and remove Conficker

The following steps should prevent infection by Conficker and eliminate the worm, if your PC has it. One positive side effect is that you'll enjoy a computer with up-to-date patches:

Step 1. Attempt to run Microsoft Update. The Conficker worm can infect vulnerable computers merely by connecting to them remotely via the Internet. For this reason, you should first try to patch Windows before removing Conficker, lest your machine quickly become infected again. It's particularly important to install Microsoft patch 958644 (security bulletin MS08-067). This patch closes a hole in Windows' Remote Procedure Call, which Conficker exploits.

If you can't find Microsoft Update (or the more limited Windows Update) on your PC's Start menu, visit the Microsoft Update page on the Web. Internet Explorer is required.

Microsoft Update might complete successfully, or you might not be able to access Microsoft.com at all. In either case, do Step 2.

Step 2. Attempt to update your third-party security software. Having the latest antivirus signatures will help eradicate Conficker and other malware that may be lurking on your PC. Use your security software's menu to manually update to the latest defenses.

Have no security software? Read the WS Security Baseline, which summarizes the products that are currently rated the highest by respected reviewers.

• If your updated security software deems your PC to be cleaned up, but you couldn't previously access Microsoft.com, go back to Step 1 and run Microsoft Update.

• If you couldn't access your security vendor's site at all, do Step 3.

• If you finished both Steps 1 and 2 successfully, you should be able to skip Step 3 and do Step 4.

Step 3 (optional). Run a standalone Conficker removal tool, if need be. The Conficker Working Group — a coalition of Microsoft, Cisco, SRI, F-Secure, Kaspersky, and many other security vendors — maintains a list of certified detection and repair tools, any of which should remove Conficker. (My thanks to Susan Bradley for her help with this tip.)

Unfortunately, most the links in the Working Group's list are inaccessible on a Conficker-infected PC. A victim can't even reach the Working Group's site, because it has in its URL the string conficker, which triggers the worm's blocking behavior.

As I mentioned earlier, security firm BitDefender has set up a new domain from which users can download free Conficker disinfectant utilities. This site, BDTools.net, is not currently blocked by the worm, to the best of my knowledge. The site offers three options: (a) a free online scan; (b) a free, downloadable Single PC Removal Tool for individual users; and (c) a free Network Removal Tool, an .exe file that IT admins can use to disinfect an entire LAN.

BDTools.net: Visit BitDefender's download site.

If you can't access BDTools.net or any other security site from your PC, find a machine that isn't infected (such as a public-access workstation at a library). Don't use a search engine to look for removal tools, some of which are bogus. Instead, download a removal tool from the Working Group's certified list onto a USB drive, and then use that drive to run the software on the infected PC.

• After removing Conficker, if you couldn't previously complete Steps 1 and 2 successfully, go back now and finish those steps to update Windows and your security software.

• Once you've completed Steps 1 and 2, do Step 4.

Step 4. Run Secunia's Software Inspector to catch missing application patches. Third-party applications, especially media players, are more likely to suffer from security holes than Windows itself is. The security firm Secunia.com offers a free scan, informing you when your PC is running an insecure version of an application that has a security patch available.

Like BDTools.net, the Secunia Software Inspector offers three options: (a) a free online scan; (b) a free download for individual users; and (c) a LAN utility for IT admins. Unlike BDTools' network tool, which is free, Secunia's LAN product costs €5,000 (U.S. $6,500) per year and up, depending on the size of your company.

To run Software Inspector, see Secunia's vulnerability scanning page.

In my opinion, everyone should use Software Inspector at least once a month, right after installing Microsoft's patches the week of Patch Tuesday.

Step 5 (optional). Advanced users — use OpenDNS to restrict infected PCs. OpenDNS, a San Francisco–based company, provides a free, real-time service that prevents PCs from accessing phishing and hacker sites, among others. Admins of small and large LANs can use OpenDNS as a Domain Name System server.

The firm introduced on Feb. 9 a new, Conficker-specific feature. If an infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from contacting Conficker's control servers. Best of all, admins can read a report showing which PC tried to connect to a Conficker server.

For details, read Dan Gookin's Register article and OpenDNS's announcement.

New instructions from the worm's author will probably make the bots disable a PC's access to BDTools, Secunia, and many other sites that were not on Conficker's original block list. Some security researchers have speculated that an update to Conficker will even prevent infected PCs from installing MS08-067.

It's best to strengthen your defenses before April 1 rather than waiting to see what bad things might happen.