Win32/Conficker.B/Downadup exploits a vulnerability in the Windows Server service (SVCHOST.EXE) for Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows 2008. While Microsoft addressed this issue in October with Microsoft Security Bulletin MS08-067, and Forefront antivirus and OneCare (as well as other vendor’s anit-virus products) helped protect against infections, many systems that have not been patched manually through Server Update Services and Microsoft/Windows Update or through Automatic Updates have recently come under attack by this worm. Attacked systems may lock out users, disable the update services and block access to security-related Web sites.

In response to this threat, Microsoft has:

• Updated the January version of the Malicious Software Removal tool to detect and remove variants of Win32/Conficker.B.
• Created the Knowledge Base article 962007 “Virus alert about the Win32/Conficker.B worm” to provide public details on the symptoms and removal methods available to address this issue.
• Announced the release of the items and the virus threat itself on the Microsoft Malware Protection Center blog.

The number of Downadup infections is skyrocketing based on the calculations of F-Secure, from an estimated 2.4 million infected machines to over 8.9 million during the last four days (as of Jan, 16).

Tags: conficker, downadup, f-secure, microsoft, msrt