Windows Worm Spreads To 3.5 Million PCs

A Windows worm known as Conficker, Downadup, or Kido which was first discovered in October has a new viral variant that is causing concern amongst security firms. Even though Microsoft's MS08-067 patch protects users from the worm it has propegated to some 3.5 million machines worldwide.

According to Microsoft, the worm works by searching for the "services.exe" file and then becomes part of that code. It copies itself into the Windows system folder as a random dll fileand gives itself a 5-8 character name, such as piftoc.dll. The worm then modifies the Windows Registry to run the infected dll file as a service. Once up and running, it creates an HTTP (web) server, resets your machine's System Restore point (making it harder to recover from) and proceeds to download files from a malicious web site.

"There was a new variant released less than two weeks ago and that's the one causing most of the problems," Kaspersky Lab's security analyst, Eddy Willems told the BBC.

"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."

"Of course, the real problem is that people haven't patched their software. If people do patch their software, they should have little to worry about," he added.