Conficker/Downadup Exploiting Windows Server Service Vulnerability

A Worm in-the-wild for the past 2 months has been infecting potentially millions of unpatched Windows-based computers by exploiting a vulnerability in Windows server service. Microsoft has classified this vulnerability (MS08-067) as "Critical" affecting Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems and first released a patch last October 23, 2008.

The original Worm, known as Conficker/Downadup/Kido, by antivirus companies, was capable of propagating by exploiting the Windows Server Service vulnerability mentioned above.  Over the last few weeks a new version of the worm has appeared which has the added capability of spreading via network shares and removable media such as USB drives.  The malware also has a capability of blocking security-related sites disabling users from accessing Windows Security Updates and uses a list of password to connect to network shares and infect systems.  Estimates of infected computers now reach in the million.

We strongly advise customers to ensure the patch from Microsoft is installed and encourage users to use strong passwords in your network to minimize infection. Microsoft has also included the Worm in its latest Malicious Software Removal Tool (MSRT). For more information see http://support.microsoft.com/kb/962007.