Conficker handling instructions
0. Behaviour
Conficker is trying to distribute itself in the following variants.
- PCs without the MS08-067 patch
- Easy to guess/bad Admin$ Share passwords
- Autorun
- Mapped network drives with write privileges
- Scheduled tasks
1. Logon
In case of doubt if autorun is still enabled, please follow these instructions when inserting a media and on logon time!
Hold down the Shift Key during Logon respectively Media insertion.
PLEASE USE LOCAL ADMIN ACCOUNTS FOR LOGON!
2. Detect
Network Scanner (quick way to detect infected machines):
- Installation instructions:
- System requirement: Windows XP (also runs with Unix and similar, however you will not be able to use the exe)
YOU DO NOT NEED ADMINISTRATIVE PRIVILEGES! - Download and install Python 2.6.1
- Download conficker detection network scanner and extract to C:\
- Use CMD, go to C:\scs
- Execute scan as follows: c:\scs\scs.exe [start-ip] [end-ip]
OR you can also perform the following in CMD c:\scs
> edit iplist.txt (Add all the IPs you want to have scanned)
> scs.exe iplist.txt
Ideally you should be removing an infected machine from the network and re-install it from scratch. The following provides you with instructions on how to proceed in case you cannot do just that.
Please be aware that the memory desinfection tool is a proof of concept and according to the authors should not be used in a productive environment.
- Download and run Memory desinfector (gets rid of Conficker threads without touching above processes).
- Download CFRemover
- Open Tool and Select Proceed
- The tool will reboot the machine automatically and remove conficker!
Should already have been performed by previously executed tool.5. Patch
Patch to the latest stable patch standing if at all possible.
Depending on your system you might want to test carefully prior to applying patches.
6. Reboot
7. Confirm removal
Again run the network scanner from item "1. Detect" and confirm that the system is now marked clean.
If not successful/clean proceed as follow:
- Revert to "3. Remove" and instead of using the tool provided within you should try with the spywarevoid tool.- Please submit us with a comment if any of the tools did not work for you.
8. Measures to avoid re-infection
a. Disable autorun
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
b. Delete following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2
c. Follow the Prevention Section in the Microsoft instructions.Sources
WARNING:
- These measures are strongly recommended, however you might want to weigh, by reading the below items:
- Please be aware that you will not be able to install new services when following these! Meaning that you should apply these manually and will need to revert temporary when a given machine needs a legitimate service installed!
- Please also be aware that you will not be able to add/delete/modify tasks!
To tell you the truth by now I do not even remember all the sources I've been through, here come the ones which I remember well, to all the others please excuse!