Short version: It’s bugle oil. They’re talking about the way Windows handles the display of something called file extensions. This was always a fairly minor issue and, for the past several years, has been a non-issue.

Read on for details, if you wish…

A file name has two parts: the name of the file and its extension. Think of an extension as the part of the name that identifies the file’s type. For example, suppose you create a Word document named “Newsletter”. The actual name of the file on disk is “Newsletter.doc” (or maybe “Newsletter.docx” if you’re using Word 2007). The “.doc” (or “.docx”) part is the file’s extension. It tells Windows that the file is a Word document and that it should be opened with Microsoft Word and not some other program.

Unless you tell it not to, Windows hides the extensions for all recognized file types. So, if you look in your documents folder, you will see your Word document listed as “Newsletter”, not “Newsletter.doc”. Windows is trying to be “helpful,” here. The idea is that, if you saved your document as “Newsletter”, it is less confusing if it simply shows up as “Newsletter” on disk.

Problem is, scammers sometimes take advantage of this extension-hiding feature to make infected email attachments look harmless — sort of. For instance, they might create an infected email attachment named “bargains.txt.exe”. The “.exe” part means that it is a program but, if Windows is hiding extensions, the name will appear as “bargains.txt”. Some folks might open the attachment, thinking it is a harmless text file.

First off, the double extension trick was never that effective and, for that reason, is hardly used anymore.

Also, Windows effectively plugged that hole several years ago. Beginning with Windows XP Service Pack 2, attempting to launch any program downloaded from an external source triggers a warning that looks something like this:

Getting a warning like that when you thought you were opening a text file is a pretty strong clue that something is amiss.

Finally, if you have any sort of reasonably competent, up to date antivirus program running, it will probably zap the offending file before you even get a chance to look at it. A good antivirus program isn’t guaranteed to catch everything, but a miss is pretty rare unless you encounter a very recent (as in a few hours old), cleverly written piece of malware.

So, you can shoot yourself in the foot by opening an infected email attachment, but you have to work at it. Whether or not you are hiding  file extensions has very little impact on your risk level.

All that being said, I still prefer to be able to see complete file names, including extensions. It’s one of the first tweaks I make to Windows when I’m setting up a new system. If you wish to disable extension hiding, there’s an article in the WhertRA web log that tells you how to do it.

But first, what has gone before…

• If you have been following “best practices” — your security patches are current and you have functioning, up-to-date antivirus — you needn’t worry about Conficker.
• If you’ve been remiss about security, you probably don’t need to worry about Conficker, but it sure wouldn’t hurt to check your system. See the “Conficker/Downadup detection and removal” article for details on how to do this. See “The Conficker/Downadup panic” for background. And at least get a decent antivirus program up and running, for crying out loud!

OK. Now, the reason searching for information about Conficker is risky is because the bad guys have poisoned many of the search results with fake sites. Most are likely scams of one sort or another — selling fake antivirus software is a common activity, as is trying to sucker you into installing spyware or other unwanted junk. At least one site is actively serving up malware. The Conficker Working Group is maintaining a steadily growing  list of these malicious sites. This ZDNet posting has additional information.

Bottom line: Searching on phrases like “Conficker virus”, “Conficker removal”, “Conficker nmap” and other similar terms is not a good idea right now. Instead, go directly to one of the major security-related web sites or to a reputable technical news source and search within their sites for information.

Here are some places to start:

• Monitor this very web log. We try to be both reputable and technically accurate.
• ESET
• F-Secure
• Kaspersky Lab
• Symantec
• Trend Micro

First off, the Conficker Working Group maintains a list of detection and repair tools that will deal with Conficker. If you suspect a Conficker infection, or just want to double-check, this is a good starting point. (Personally, I like ESET’s tool, but any of them should work fine.)

Update: The Conficker Working Group list is overloaded/inaccessible this morning (April 1). Here is a list of direct Conficker detection and removal tool links to try:

• ESET
• Kaspersky
• F-Secure
  
• McAfee
• Microsoft Malicious Software Removal Tool
• Sophos
• Sunbelt Software
• Symantec
• TrendMicro

However, the most recent variant of Conficker, Conficker.C, added a nasty trick. It blocks a long list of places offering detection and removal information and tools. This includes all the significant antivirus vendors, as well as Microsoft’s security-related material. If you cannot get to the above download links, but you can reach someplace routine like Google, you’ve likely got a problem.

You should also go to the control panel and launch Windows Security Center. If Windows Security Center is not working, that’s another red flag.

Neither of the above tests necessarily indicates a Conficker.C infection; there are other, nastier viruses that exhibit the same behavior. But failing one or both definitely means it’s time for some housecleaning.

BitDefender put up a web page very recently that is not blocked by Conficker.C and where you can download a general Conficker detection and removal tool. You can find it here: http://www.bdtools.net/. (Update: I’ve got a report that the BitDefender application may generate some false alarms. For now, it is probably best to use this tool only if you can’t reach any of the links listed above.)

Finally, the Windows Secrets Newsletter published a must-read article today titled “Run a Conficker removal tool before April 1“. You should read this for additional background and a more detailed discussion on Conficker detection and removal. (Well, OK, I have some problems with their recommendations regarding security suites, but it is still a first-rate write-up.)

If you have any questions, please feel free to get in touch. See the “Contact Us” section of the sidebar for information on how to do this.

The best, most recent estimate of the number of Conficker-infected computers is around 10 million. This is a big number, but a very small percentage of all the computers in the world. More than half of these systems are in countries with a high percentage of users running pirated versions of Windows who cannot easily obtain security updates. The big issue with Conficker is not its prevalence, but that it represents a huge network of computers — a “botnet” — that can be employed by the bad guys to do unsavory things.

Conficker has been spreading for a few months, but the Conficker-built botnet actually goes live this Wednesday, April 1. That’s when all those infected machines start trying to “phone home” for instructions and updates. This event is what triggered all the news coverage and Viewing With Alarm. In the meantime, an ad hoc, international team of security experts has been working hard — and rather effectively — to block and shut down Conficker’s list of command and control servers. Drama. Skulduggery. International intrigue. Somebody is going to write a great book about this battle some day.

So, what does this mean for those of us just trying to get some work done? Well…

If your antivirus software is up to date and working, you should be OK.  In fact, since Conficker also spreads by infecting USB flash drives, your antivirus software is definitely your first and most important line of defense. All reputable security software vendors are well-aware of Conficker and have had detection and removal routines in-place for quite some time.

Conficker’s primary route of infection exploits a vulnerability patched by Microsoft many months ago. If you’ve been applying Microsoft security updates regularly, your system should not be vulnerable to this technique. If you’ve been ignoring the little yellow shield down there in the System Tray, you should stop doing that.

Bottom line: If you’ve been paying attention to the security basics, Conficker will likely pass you by. Don’t let your guard down, though. Conficker is a very sophisticated piece of malware and the authors will almost certainly release a new strain in short order. If you’ve been careless, see the above  “Conficker/Downadup detection and removal” post.