{
  "family": "conficker",
  "sample_count": 11,
  "category": "worm",
  "description": "Conficker is one of the largest and most famous worms in computing history, first detected in November 2008 and at peak infecting an estimated 9 to 15 million Windows systems globally. It exploits the MS08-067 vulnerability in the Windows Server service, propagates through network shares and removable media, and uses a domain-generation algorithm to contact command-and-control servers. Conficker prompted the formation of the Conficker Working Group, an unprecedented coalition of security vendors, registrars, and law enforcement. While the worm never delivered a destructive payload at scale, it remains active in legacy and unpatched environments more than 15 years later.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "downadup",
    "kido"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Conficker?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Conficker is one of the largest and most famous worms in computing history, first detected in November 2008 and at peak infecting an estimated 9 to 15 million Windows systems globally. It exploits the MS08-067 vulnerability in the Windows Server service, propagates through network shares and removable media, and uses a domain-generation algorithm to contact command-and-control servers. Conficker prompted the formation of the Conficker Working Group, an unprecedented coalition of security vendors, registrars, and law enforcement. While the worm never delivered a destructive payload at scale, it remains active in legacy and unpatched environments more than 15 years later."
      }
    },
    {
      "@type": "Question",
      "name": "How does Conficker spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Conficker spreads through the MS08-067 SMB vulnerability, weak admin passwords on network shares, and infected removable media using autorun.inf."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Conficker infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Domain controller account lockouts, blocked Windows Update, disabled security services, and antivirus references to Conficker, Downadup, or Kido are classic indicators."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Conficker on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1210",
    "T1547.001",
    "T1547.010",
    "T1571"
  ],
  "cisa_advisory": "https://www.cisa.gov/news-events/alerts/2009/03/29/conficker-p2p-worm",
  "last_updated": "2026-05-27"
}