Page last updated at 10:59 GMT, Tuesday, 31 March 2009 11:59 UK

Timeline: The Conficker worm

Computer keyboard, Eyewire
Conficker has been around since late November 2008

A chronology of key events in the history of the Conficker worm, that has infected an estimated 15 million computers worldwide:


20 August: The Gimmiv Trojan, which exploited the vulnerability Conficker capitalises on, is first spotted running in a virtual machine on a server in South Korea. Experts speculate this was a a test run prior to it being released in the wild.

29 September: Gimmiv first seen in the wild infecting a PC in Hanoi, Vietnam. Over the next few weeks it manages to infect 200 more machines in 23 nations - most of which were in Malaysia. Mistakes in the way it is coded limit its ability to spread.

23 October: Microsoft issues first impromptu and non-scheduled security patch in 18 months - MS08-067 - to address the vulnerability that Gimmiv exploited. Microsoft recommends that the patch be applied immediately. At this point about 800 million Windows machines are thought to be vulnerable.

26 October: Chinese hackers prepare a toolkit that lets anyone create code to exploit the vulnerability found by Gimmiv's creators. Initially they sell the kit for $37.80 (£26.48) but soon it leaks to the net and they are forced to give it away. The release of the code prompts many to craft malware that can seek out machines with the bug.

21 November: Conficker.A is spotted in the wild. The worm exploits the same vulnerability as Gimmiv with the added twist of being able to infect other computers across a network. It also fixes the bug so other worms trying the same trick are locked out.

22 November: Microsoft releases a strongly worded post recommending that users "immediately" apply the MS08-067 update.

26 November: Machines infected with Conficker.A activate and begin polling a different set of 250 domains daily for further instructions. Around 500,000 machines are thought to be infected with this variant.

1 December: Many infected machines contact for an update file that is not there.

24-27 December: SRI census reveals about 1.5m machines are infected.

29 December: The first variant, Conficker.B, is spotted. Like its predecessor it exploits a vulnerability in the Windows Server service but can also spread via removable drives and weak administrator passwords. It also uses an MIT-developed algorithm to obfuscate its communications. Sheffield hospitals confirm 800 of their computers infected


1 January: Machines infected with Conficker.B start checking in to a different set of 250 domains.

6 January: The UK's MoD suffers its first infections. It takes the department two weeks to clear up the damage.

11 January: Microsoft updates its Malicious Software Removal Tool so that it can find and remove the first variants of the Conficker worm.

20 January: Conficker.B is spotted exploiting the Windows Vista autoplay feature so it can spread via flash drives and memory sticks.

Early February: The numbers of machines infected by Conficker explodes. Many millions are thought to have fallen victim.

12 February: Microsoft announces the creation of the Conficker Cabal - a global group of security professionals who will try to disrupt the workings of the botnet created by infected machines. It also $250,000 as a reward for information about the creators of Conficker.

16 February: Conficker.B++ is spotted for the first time. It's protocol seems to be in direct response to Cabal's efforts to disable Conficker's communications strategy. It no longer needs to contact internet rendezvous points for updates, instead these can be flashed centrally from any internet address.

5 March: Conficker.C turns up. It tries to update all already infected machines with the latest variant. The PCs are organised into peer-to-peer networks and imposes instructions for these machines to check in with a one from a random group of 500 domains pulled from a pool of 50,000 on 1 April.

1 April: Machines infected with Conficker.C are expected to connect to domains for more instructions. About two million machines are thought to be infected with this variant.

Print Sponsor

Security experts eye worm attack
31 Mar 09 |  Technology
Q&A: Conficker protection
31 Mar 09 |  Technology
Microsoft bounty for worm creator
13 Feb 09 |  Technology
Windows worm trickery for Vista
21 Jan 09 |  Technology
Clock ticking on worm attack code
20 Jan 09 |  Technology
Spam reaches 30-year anniversary
02 May 08 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Sign in

BBC navigation

Copyright © 2020 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific