Network worm infects millions of Windows PCs

A malicious worm is spreading that has already seen the infection of 3.5 million Windows PCs, which a security company reported as rising by one million in a single day.

Thousands of workstations and servers in the United Kingdom have already been affected by the Conficker network worm, which is also known as Downadup. It is unusually difficult to remove, especially if it has been successful in infecting a corporate network.

It is a new version of a worm which started to spread last year, with security firm F-Secure warning that it had received reports of corporate networks being infected by it since the new year.

The attack first originated in October last year, when attacks targeted a critical vulnerability in the Windows operating system, which forced Microsoft to release an emergency out-of-band patch - MS08-067.

Microsoft strongly recommended that users install the security update as soon as possible, but this failed to stop the worm increasing in frequency.

Since then, the worm has continued to infect machines, usually because they were unpatched, or because anti-virus software was not detecting it.

F-Secure said of the worm in a statement: "Downadup uses several different methods to spread. These include using the recently patched vulnerability in Windows Server Service, guessing network passwords and infecting USB sticks."

It added: "Typical problems generated by the worm include locking network users out of their accounts. This happens because the worm tries to guess (or brute-force) network passwords, tripping the automatic lock-out of a user who has too many password failures."

The company said that once the worm had infected a machine, it protected itself very aggressively. It did this by setting itself to restart very early in the boot-up process of the computer and setting access rights to the files and registry of the worm, which meant users couldn't remove or change them.

F-Secure said: "The worm downloads modified versions of itself from a long list of websites. The names of these websites are generated by an algorithm based on current date and time.

"As there are hundreds of different domain names that could be used by the malware, it is hard for security companies to locate and shut them all down in time."

Christian Craioveanu and Ziv Mador, of the Microsoft Malware Protection Centre, said in their blog that most of the infected customers who contacted support were running large networks. This helped spread the worm as they were more likely to feature file sharing and network shares.

They also said that they had added new capabilities to their Malicious Software Removal Tool (MSRT) which could detect and remove the worm if it was present on a machine or environment.