Registry Values for Conficker

Conficker registry values

In recent weeks the Conficker virus has spread to roughly 30% of Windows based networks throughout the world.

Different variants of the worm have different registry values for the Conficker virus.

What started out only affecting 5 TLD’s (top-level domains) has spread to the use of 110 TLDs.

The number of TLDs being used is a direct correlation to how many “hits” the worm can make in a single day.

Conficker registry values

Conficker registry values

Variant Effects on Top-Level Domains

Beginning on 21st November, 2008, Conficker started attacking using a pull technique from as well as downloads from 250 pseudorandom domains using only 5 TLDs.

Currently, there are 4 variants of Conficker and variant D uses anywhere from 500 to 50,000 pseudorandom domains over 110 TLDs.

Variant A

First detected on 21st November, 2008, Conficker variant A started spreading the virus via downloads from 250 pseudorandom generated domains utilizing only 5 TLDs.

Variant A exposed vulnerability on Windows server computers and placed itself onto PC registries in an attempt to turn off malware protection software.

Variant B

On 29th December, 2008, variant B started using 8 TLDs which activated 250 pseudorandom domains and activated push and pull techniques from the downloads to block DNS look-ups and turn off the Automatic update feature on Windows platforms.

Variant B also set up Trojan horse programs on removable media as well as established a backdoor for previously infected computers.

Variant C

On 20th February, 2009, variant C added a named pipe feature to receive URLs from hosts and then downloaded from those hosts.

Variant D

On 4th March, 2009, variant D was introduced and bumped up the use of TLDs and pseudorandom domain generation to 110 and anywhere from 500 to 50,000, respectively.

Variant D also started killing malware protection software as well as transferring using TCP protocols.


ICANN has sought to block the transfer and registration of all TLDs affected by the pseudorandom domain generator.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind