If we presume that a person's Windows computer is (a) installing Windows
updates automatically, and (b) has an antivirus application with current
definitions, then I don't think there's much to worry about. If either a or
b above is not true, then the system in question has many potential


If you are looking for what would constitute due diligence, I would suggest:

1.       Run Windows Update and install all updates (start with SP3 on XP or
SP1 on Vista if it isn't there already)

2.       Verify that the vulnerability exploited by this attack is
installed; look for update KB958644 <>
which was released in October, 2008.

3.       Check that the antivirus application has current definitions.

4.       Schedule or start a full system scan at the end of the workday.


That's what I'd do. 


If the Live OneCare online scanner if going slowly, you can use the
Microsoft Malicious Software Removal Tool, which address a set of common
malware, to detect and remove Conficker
( Similar
tools are available from the major A/V vendors. 


More general information, including links to various remediation tools, is
available at:


Larry, I hope that helps,




From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of Larry Kost
Sent: Monday, March 30, 2009 11:54 AM
To: [log in to unmask]
Subject: Re: FW: Alert - Additional Microsoft Security Guidance Published on


Should we be having our folks take some kind of action?  I am running the
Windows Live OneCare safety scanner.  It has been running for about two
hours and isn't even half done.  Is there something quicker, like Stinger
that would work for this particular problem?  Should this have bee caught by
NODE32, assuming it is running and up to date?  

Larry Kost

At 08:57 AM 3/30/2009 -0400, you wrote:

FYI. Geoff


From: Mark Nissen [mailto:[log in to unmask]] 
Sent: Saturday, March 28, 2009 11:44 AM
To: [log in to unmask]; [log in to unmask]
Subject: Alert - Additional Microsoft Security Guidance Published on


What is the purpose of this alert? 

This alert is to notify you that Microsoft has published new information
regarding the Conficker worm on March 27, 2009. 


The new information published today will appear on Microsofts Conficker
landing pages, Microsofts security-related blogs and in the Microsoft
Malware Protection Center (MMPC) malware encyclopedia. 


These resources aim to help customers by providing answers to common
questions, steps customers can use to protect their systems, and steps that
can be used to recover systems that have been infected.




Microsoft has published new information today on the following web pages:


.         Microsoft Conficker guidance page for IT Professionals and those
focused on security in the enterprise: HTTP:// 


.         Microsoft Conficker guidance page for consumers and home users: 


.         The Microsoft Malware Protection Center (MMPC) encyclopedia page
for the Conficker family of malware: 


.         The Microsoft Malware Protection Center blog: 


.         The Microsoft Security Response Center Blog: 


Please use these new resources as your starting point for guidance on
Conficker. The content will be refreshed periodically when new information
is available. 


Answers to Common Questions


Q: What will happen on April 1, 2009?

A: Based on our collective technical analysis, we've determined that systems
infected with the latest version of Conficker will begin to use a new
algorithm to determine what domains to contact. We have not identified any
other actions scheduled to take place on April 1, 2009. 


Q: Will an updated version of Conficker go out to already-infected systems
on April 1, 2009?

A: It is possible that systems with the latest version of Conficker will be
updated with a newer version of Conficker on April 1, 2009 by contacting
domains on the new domain list. However, these systems could be updated on
any date before or after April 1, 2009 as well using the "peer- to-peer"
updating channel in the latest version of Conficker.


Q: Should the general public be alarmed? Why or why not?

A: No, the general public should not be alarmed. Most home users have been
protected by Microsoft Security Update MS08-067
( being
applied automatically. 


Q: What should people who are worried about April 1, 2009 and Conficker do?

A: We recommend that home users who have not yet enabled automatic updates
do so and ensure their security software is up to date with the latest
antivirus signatures for Windows Live OneCare, or the antivirus product they
use.  We recommend that enterprise customers continue to focus on the
guidance from Microsoft and take multiple measures to minimize the risk of
getting infected: 


.         Fully Install MS08-067
( on all
Windows computers in your environment. Because 100 percent deployment can be
challenging in diverse enterprises, the next defense-in-depth steps can help
minimize the risk too.

.         Use an antivirus product that has solid detection of Conficker.
Such an antivirus program should be able to block the worm from copying
itself to other machines. For example, Microsoft Forefront Client Security
and Windows Live OneCare can detect and block this worm from the very first
day of its discovery.

.         Use strong passwords both for any user account and also for any
file share in your environment.

.         Make sure to use only AutoPlay options that you are familiar with
as other options may have been added by malicious software. Some customers
may prefer to disable the AutoRun functionality altogether.

.         Evaluate additional security best practices in accordance with
their organization's policies and procedures.


Customers who believe they are affected and need additional support can
contact Microsoft Customer Service and Support. Contact CSS in North America
for help with security update issues or viruses at no charge using the PC
Safety line (866)PCSAFETY or resources found at: 


International customers can contact Microsoft Customer Service and Support
by using methods found at: 


Regarding Information Consistency


We strive to provide you with accurate information in static (this mail) and
dynamic (Web-based) content. Microsofts security content posted to the Web
is occasionally updated to reflect late-breaking information. If this
results in an inconsistency between the information here and the information
in Microsofts Web-based security content, the information in Microsofts
Web-based security content is authoritative.


If you have any questions regarding this alert please contact your Technical
Account Manager or Application Development Consultant.


Thank you,

Microsoft CSS Security Team