Microsoft's Malicious Software Removal Tool (MSRT) has been upgraded so it can remove a worm that tries to download malicious software.
Conficker targets a flaw in Windows Server Service and Microsoft thought the flaw was so severe that it issued an emergency patch, outside of its usual cycle, on 23 October for Windows 2000, XP, Vista, Server 2003 and Server 2008.
Microsoft said in a blog, it has identified a new variation of the worm, called Win32/Conficker.B, that has been infecting servers. Systems become infected when a hacker constructs a malicious Remote Procedure Call (RPC) to an unpatched server, which then allows arbitrary code to run on a machine
Conficker.B uses other methods to spread, including trying to copy itself to other shared network machines by guessing passwords, said Cristian Craioveanu and Ziv Mador, in the blog. It can also spread via removable media.
Conficker uses several tricks to avoid detection. It uses a technique called polymorphism, a mechanism that can use compression and encryption to make the code appear different to antivirus software and more difficult to detect. It also makes its files hard to detect and changes key access rights, Microsoft said.
MSRT is a simple security tool that scans a PC and can remove some malicious software. It is far short of a full antivirus suite, but Microsoft has invested in supporting the tool to help remove some of the most flagrant and nagging malicious software affecting Windows PCs and servers.
The company is recommending that administrators run a MSRT scan. Infected computers, however, may not be able to access Windows Update, the built-in update tool for Windows. Microsoft has given instructions for how to download the MSRT with a clean machine and then distribute MSRT.