Click on screenshot to zoom
Danger level 10
Type: Worms
Common infection symptoms:
  • Changes background
  • Connects to the internet without permission
  • Shows commercial adverts
  • Normal system programs crash immediatelly
  • Slow internet connection
  • System crashes
  • Slow Computer


At some point, nearly 6% of all computers were infected by the Conficker worm. This infection is also known as Downadup or Kido Worm, and it was primarily known as the infection capable of exploiting the Windows MS08-67 service vulnerability, a patch for which was released soon after the discovery. As most worms, this infection was found to spread through USB memory devices like USB drives or MP3 players. The Windows Option Menu that appears after inserting the infected USB device will disguise the option to run the program as the option to open the folder. If the file is opened, the worm is unleashed. Although this threat originated in China, it soon spread across the U.S., Spain, Taiwan, Brazil, Mexico, and other countries all around the world. Just like many of its predecessors, this worm extracts passwords from computer and corporate internal networks. The easier the password, the easier it is for this threat to decode it. Once the passwords are detected, cyber-criminals can access computers and use them maliciously. This is why immediate removal of Conficker is crucial.

According to our research, this malicious worm consists of two components. It uses an executable (e.g., malware.exe) to install a DLL file (e.g., vhoinp.dll) that is responsible for the payload of this infection. It is worth mentioning that the Conficker worm has several different variants each of which is designed to update to the newer version when available. The original version of this worm was found to be spread via 250 different domains. The later versions were found to disable the AutoUpdate function, Safe Mode, and anti-malware software. Furthermore, some versions of the worm are capable of terminating processes with names that refer to security software. This malware could use dnsapi.dll to stop you from visiting sites with certain words (e.g., security, defend, conficker, antivirus, security, etc.) in the address. We have also found that this malicious worm is capable of deleting the "Windows Defender" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ to disable Windows from guarding your operating system. Of course, it adds its own value to ensure running upon startup.

Conficker was found to copy itself to Internet Explorer, Movie Maker, Windows Media Player, or Windows NT folders found under %ProgramFiles%. This is one of the many ways this infection tries to conceal itself. As mentioned previously, it disables the Windows Defender, but it was found that this threat can also disable the Windows Security Alert tool, Error Reporting Service, Windows Update Auto Update Service, and Windows Security Center Service. If this is performed successfully, the infection remains hidden, and it can initiate malicious activity without your notice. Our research has also shown that this worm periodically connects to certain websites to check for certain information. For example, it can connect to,,, and similar sites to check its external IP address. Furthermore, it connects to,,,, and other similar sites to check the current time and date. Because the worm has certain payload trigger dates, it needs to know the time and day to initiate them timely.

A worm is not some threat you can ignore, and it is important to remove it as soon as possible. Unfortunately, deleting Conficker is not a simple task, and most users struggle finding this infection at all. If you remain oblivious to the existence of this threat, it will start connecting to remote servers and letting it other computer infections. There are many different scenarios of what could happen if this worm found its way into your operating system. For example, your passwords could be recorded to hijack your online accounts. It is also possible that your operating system could be utilized for the distribution of malware. If your PC is connected to a shared network, the worm could self-propagate; however, other methods could be used to spread malware using your system. If you do not want to become an instrument in the hands of cyber criminals, you need to remove Conficker from your operating system as soon as possible. Deleting this worm is difficult enough but if other threats are active as well, you are in an even bigger trouble. We strongly advise making using of strong anti-malware software that can handle all active threats automatically.

Download Spyware Removal Tool to Remove* Conficker
  • Quick & tested solution for Conficker removal.
  • 100% Free Scan for Windows


  1. Bandele May 28, 2009


  2. james balaoryo Jul 24, 2009

    i also need your opinion

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.