Win32/Conficker is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability ( CVE-2008-4250 / CIVN-2008-170 ). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."
Win32/Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.
It propogates by creating an autorun.inf file on all mapped drives so that it automatically executed as soon as the drive becomes accessible.
Screenshot of the autorun.inf file is pictured below(source :SANS)
Up on execution the autoplay window will pop up as given below
The first part, "Install or run program" is there because the autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) which is the standard folder icon which will run the worm
The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out thereby restricting users from updating their security software from those websites.
Use these FREE Removel Tools to prevent and clean up the system from the worm:
Prevention is better than cure. The following actions are advised in order to prevent infection from this Worm: