In the run-up to April 1st 2009, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed” - no other worm in recent history has generated this much media attention. But what have we learnt from history?  From the days of Michelangelo to the recent Blaster, SoBig, Sober and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have only turned out to be damn squids.

What happens on April Fool’s Day is anyone’s guess. While we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding newer functionality and anti-debugging tricks with every released variant. In order to resist Conficker Cabal initiative which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially hosts a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker also known as Downadup, Kido worm, and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site shows an overall antivirus detection rate of consistently 90% or above. And these high detection rates are across vendors - small or big.

In the run up to April 1st, McAfee is offering a special build of its stand-alone cleaning tool christened Stinger which will be updated on a daily basis to include any undetected Conficker variants from the wild.  This special build of the Stinger tool can be downloaded from the Avert Tools site. We’ve has also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for the MS08-067 - Microsoft Windows Server Service vulnerability which is exploited by the worm can be viewed at our threat center.

Please ensure that your copy of Microsoft Windows is patched and security software is fully up to date to ensure that April 1st 2009, is a day like any other day!