Update on Conficker.D

We’ve received a lot of questions from customers about April 1, 2009 and the latest Conficker variant discovered earlier this month, Worm:Win32/Conficker.D (also known as Conficker.C or Downadup.C by some other companies). I wanted to let you know that we’ve put some new information up about Conficker.D  today from our work with our partners in the Conficker Working Group.


We hope this new information helps you better understand the current situation. While any malware attack is cause for concern, customers who continue to follow the  guidance we’ve always given, such as: apply security updates, update security software signatures and clean infected systems, should look at the latest version of Conficker like other malware attacks: a manageable cause for concern.


Since we announced our work with the Conficker Working Group and the $250,000 reward, a new version of Conficker was released, Conficker.D. Systems infected with Conficker.D are systems that were once infected with Worm:Win32/Conficker.B. This new version, Conficker.D, does not spread by attacking new systems.


The April 1, 2009 date that has been talked about recently refers to the date when these systems infected with Conficker.D will start trying to contact domains on the Internet, presumably for new instructions. This is identical behavior to what these systems did when they were infected with Conficker.B. What’s different between Conficker.B and Conficker.D is that the domain generation algorithm that I talked about in my February 12, 2009 posting has been changed. The new algorithm generates a larger pool of possible domains than the original one. You can get more details on this over at the Microsoft Malware Protection Center (MMPC) weblog.


While Conficker.D will start trying to contact a new pool of possible domains on April 1, 2009, we at Microsoft and our colleagues in the Conficker Working Group will continue doing what we’ve been doing throughout: working together on a daily basis to share information and take coordinated actions to help disrupt Conficker. In fact, we’ve already been taking actions against Conficker.D like we have against Conficker.B.


Just like we’re staying constant and focused in our actions against Conficker, all of us encourage customers to stay constant and focused in their actions: ensure your systems are updated with MS08-067, keep your security software signatures updated, and clean any systems you identify that are infected with any version of Conficker.


My colleagues over in the Microsoft Malware Protection Center (MMPC) have more detailed information on Conficker.D on their weblog. Also, some of our partners in the Conficker Working Group have posted some information about Conficker.D and the importance of staying constant and focused in combating it.  A sampling of some of the information our partners have posted includes:

·         F-Secure

·         Secureworks


We’ll  all be here working to protect customers from Conficker and other threats on April 1, 2009, just like we are today, and we will continue to be here after April 1, 2009. And of course, we’ll update our weblog as we have new information and our partners will do the same.




*This posting is provided “AS IS” with no warranties, and confers no rights.*