Downadup (aka: Conficker, Kido) is using AutoRun to spread “like a can of worms”…

Did you know that you opened a can of worms if you did not apply the Windows update for an already known Windows vulnerability, back in October?  worms


The Downadup worm virus (aka: Conficker, Kido) has globally spread like wildfire.  I am now reading stories [ click here ] where over 8 million PC’s have been infected (or 1 in 16 PC’s).  That is over 8 million PC’s that failed to patch their systems back in October.  The most concerning part, at least to me, is that this worm can use the “AutoRun” functionality in Windows to infect other PC’s.  Here is how this works.  You plug in your USB flash drive in a computer that has been infected with the Downadup worm and the worm copies a file (autorun.inf), to your flash drive.  You remove the flash drive and plug it into another PC, the Windows AutoRun function kicks in and the autorun.inf file, that was copied to your flash drive, now executes and infects that PC.

Downadup is a worm (self-replicating).

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network. – F-Secure

Propagation (How it spreads)…

Downadup uses a variety of methods to spread itself.

Downadup exploits a Windows vulnerability; patched by the October ‘08 security update.

If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files. – Microsoft Malware Solution Center

Additionally, it uses Windows AutoRun functionality; autorun.inf files are copied to USB drives and other removable media.

If your computer is infected…

You may not experience any symptoms, or you may experience any of the following symptoms:

Account lockout policies are being tripped.

Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.

Domain controllers respond slowly to client requests.

The network is congested.

Various security-related Web sites cannot be accessed.

Removal Assistance…

Visit the Microsoft’s Help & Support (to learn about the manual removal method(s) and the available Malicious Software Removal tool (MSRT) tool option that is available.  Many of the anti-virus sites are carrying removal options and instructions, as well.  Like many viruses, this thing will continue to evolve with a variety of different payloads.  If you have a PC that is connected to the internet, it is very important that you keep your systems patched (via the Windows Update) and that you keep your Security software updated (e.g. anti-virus, anti-spyware, anti-malware).  The internet is in one sad shape and it is important that our defenses are in place and that we educate ourselves about any potential threats.  Thank you visiting the blog and please push this info onward to make others aware.


Bookmark and Share



12 thoughts on “Downadup (aka: Conficker, Kido) is using AutoRun to spread “like a can of worms”…

Add yours

  1. Hello!! I see you have a tech blog too and it’s doing pretty good!! : ) I just made a new tech blog that is updated several times a day with tech tips and reviews and I hope you can comment or add this blog to your blogroll!! Comment back if you add me to your blogroll so that I can add you too!! Please visit my blog link below!! Thanks a lot!! 😀


  2. Thats why they call them Updates, glad I took your advice about keeping up with them. Good advice from the man who knows……………Thanks Rick.


    1. George,

      Just read today on a site where a company (over 600 PC’s) got nailed with this… Thanks for your comment… Provides a positive influence for those reading the articles.

      Thanks, Rick


  3. Conficker.A and Conficker.B can both be removed using free software like F-Secure’s Downadup removal software as well as bdtools which was made just for this. However Conficker.C has to be removed manually still. In just another day a fix will be made for it. You can view the Microsoft site for more information on how to remove this manually.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by

Up ↑

%d bloggers like this: