Flickr/Kmevans

A new strain of a worm, called Downadup, Conficker or Kido, has created the largest known collection of hacked computers. The worm had indfected at least 3.5 million PCs running Windows operating system and the number is increasing at a rapid pace, according to reports.

Finnish anti-virus maker F-Secure Corp. estimates the number of computers infected by the worm in the last four days alone to be between 2.4 million and 8.9 million.

Downadup, Conficker or Kido was first discovered in October 2008. Despite Microsoft immediately releasing a security patch then, a major portion of Windows PC remained vulnerable to attack by the worm that spreads through low security networks, USB drives and PCs without the latest security updates.

The worm works by integrating with Windows executable file called services.exe. It then copies itself into the Windows system folder as a dll file with a random 5-8 character name. It then modifies the Windows settings in Registry to run the malicious dll file as a service.

Once the worm is active, it creates an HTTP server in the PC and deletes all System Restore points before infection, making the feature useless for recovering the system. It then starts downloading files from the hacker's web site, which it does in a very unique way.

While most malware depend on a handful of sites to download files from, Conficker uses a complex algorithm to generate hundreds of different domain names every day. Only one of these domains will actually be the site used to download the hackers' files. This makes it virtually impossible to trace the rouge sites.

The worm protects itself from deletion by removing all NTFS file permissions, except execute and directory traversal, from all users.

Diagnosing the infection

An infected system will show connection time out message while trying to access various antivirus related websites. Windows Update will be disabled.

Curing an infected system

Use Microsoft's malicious software remover tool to clean infected systems. If your system has been infected, you will have to download it from another PC and then run it on your system.

Use Bit Defender or any good anti-virus maker's virus removal tool for getting rid of Downadup.
Follow these steps for removing the worm using Bit Defender's removal tool:

1. Disable System Restore (Instructions given below this list)
2. Unplug network cable from infected machine
3. Download MS08-67 vulnerability fix, according to your operating system version
   
4. Run attached removal tool
5. Restart computer
6. Plug in your network cable
7. Update virus definitions

To turn off System Restore in Windows XP, click “Start”, right-click “My Computer”, and then click “Properties”. In the System Properties dialog box, click the “System Restore” tab. Click to select the “Turn off System Restore on all drives check box”, and then click OK and confirm. Remember to uncheck the box after curing your system if you wish to use system restore feature.

Additional resources:
How to safeguard your PC against viruses
Downadup worm on Bit Defender
Downadup worm on F-Secure