It attempts to connect to remote admin drive mappings using hundreds of common, weak passwords, including multiple versions of numbers and letters. If you find an infection on your network, you probably want to check out the list and see if any of your passwords are located there. Using either exploit vector, Conficker is able to infect computers that are fully patched after first exploiting one unpatched network computer. Conficker isn't the first worm to do any of these things, but the most popular worms rarely do anything new.
How admins are protecting servers from Conficker -- or not
I don't understand why more administrators aren't patching Windows servers. Maybe they think the perimeter firewall will protect them, since they don't allow ports 139 or 445 access from the Internet. But as anyone from the MS-Blaster days can tell you, a perimeter firewall really doesn't provide that much protection in today's world of traveling laptops and remote VPN users.
I'm sure some of the problem is due to the distrust of Microsoft patches. In the past, some Microsoft patches have caused operational issues. Although Microsoft is getting a lot better on this, it's hard to forget if you've been burned in the past. That's understandable, and why any patch management strategy should have acceptable regression testing built into it.
Some of my clients don't have identical test environments to test patches on. That's understandable, although setting up VM environments should make the task easier cost-wise. Many of the biggest VM vendors, certainly VMware and Microsoft, offer free utilities that will snapshot a real, physical box into a test VM image. But even if you have an identical VM, unless it is being thoroughly tested as if it were functional on the production network, it's never a completely thorough test.
Patching best practices
So always have a plan for reversing patches once applied on the production network. Servers should have a complete backup prior to any patch being applied. Microsoft offers free technical support (866-PCSAFETY) for any security update-related issue. For mission-critical servers, consider using clustering or network load-balancing services to allow one server at a time to be patched, instead of trying to patch all at once.
If you don't want to (or can't) apply the patches in a timely manner, implement suggested workarounds and mitigations. Microsoft offers these in every security bulletin. If your environment is so thin on assets and resources that you simply cannot take the time to regression test before applying patches, back up the servers and apply the patches. Today's Internet is too malicious to let unpatched servers hang around on your network. The patches are being code-reversed in minutes and the worms are pouring out into the public in hours.