We're seeing quite a large number of Conficker worm infections since the start of the New Year and specially since the Conficker.C variant appeared on December 31. It seems that the return to work after the Christmas break has kick-started Conficker again. Daniel Nyström, our Tech Support front man in Sweden, already noticed an increase in infections a few days ago.
As you may recall Conficker is a worm that spreads via networks and USB drives. It attempts to brute force usernames and passwords and takes advantage of Server Service vulnerability in Windows which allows for remote code execution. The worm also auto-updates itself every day from a long list of URLs so it looks like its preparing for a larger attack.
Checking again the SANS activity by port it's obvious this is something you need to worry about:
As posted about a month and a half ago, TruPrevent prevents Conficker worm network infections proactively thanks to a new Policy Rule we pushed out to all our retail products. In addition we've added signature detection for all Conficker variants. I'll post details on manually creating and pushing out TruPrevent Policy Rules on corporate networks as soon as possible.
As a curiosity I was travelling the other day and while connected to the WiFi network of a German airport I noticed the following Conficker worm variant trying to brute force its way into my machine:
The Conficker worm means business so be careful out there. Some preventive steps you should be following if you haven't done so already:
If you're responsible for a network, scan for vulnerable machines (using Baseline Analyzer, Nessus, etc.).
Patch your servers and workstations by visiting Microsoft Security Bulletin MS08-067.
Disinfect infected machines using Malware Radar on networks or ActiveScan for stand-alone PCs.
Turn off AutoRun feature for USB drives on your machines (and ask your Microsoft representative for a global solution to AutoRun).
Make sure your antivirus and security solution is up-to-date on the latest version and signature database.
The Final Countdown
Millions of Windows computers have been infected by a new computer worm dubbed "Conficker." The situation is "not getting better," but rather is "getting worse," according to security software vendor F-Secure.
Read how you can protect your PC here.
In a blog post, F-Secure security researchers report that the number of machines infected by the Downadup worm has skyrocketed from roughly 2.4 million to over 8.9 million in the last four days alone.
Downadup is a malicious worm that "uses computer or network resources to make complete copies of itself," according to F-Secure. And it may also include code or other malware that damages both a computer and network. The worm also goes by the names "Kido" and "Conflicker." Details on how it operates and how to remove it are here.
Once executed, Downadup disables a number of system services, including Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting. The worm then connects to a malicious server, where it downloads additional malware to install on the infected computer. Computerworld provides a more detailed report on Downadup's potential dangers.
Since Downadup uses random extension names to avoid detection, Windows users should make sure their security software is set to scan all files, rather than checking on specific extensions, F-Secure recommends.
The alarmingly high number of Downadup infections led Microsoft last Tuesday to enable its anti-malware utility, Microsoft Software Removal Tool (MSRT), to detect the worm. So it's important that Windows users, if they haven't already, download the latest Microsoft security patch that went out earlier this week.
These tools may be useful for infected systems that need to be cleaned prior to putting the MS08-067 security patch in place.
MS08-067 Conficker worm - Description
http://www.f-secure.com/weblog/archives/00001574.html
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
MS08-067 Conficker worm - F-Secure offers free removal tools
ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
Remember:
please read the text file included in the ZIP for additional details
[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]
I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)
However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted by our labs back in January, but it still applies.
Disconnect the infected computer from the network and the Internet.
Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
Download an one-off ESET application (again, using a non-infected PC) which will remove the worm.
Install the updated anti-virus program.
Re-connect the PC to the network and the Internet.
You might also want to disable Autorun.
Here’s a bit more information about using the standalone utility mentioned in step 4.
If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC or some form of dumb terminal with a C:\ or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).
If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat. It’s more important at this point to check that your AV is installed and updating properly.
It also mentions a couple of options (-autoclean and -reboot). If Conficker isn’t in memory these aren’t very relevant to you. If it is, you’ll probably want to carry on scanning and respond when the utility prompts you. Those options are more relevant to system administrators and power users wanting to run the application from a script and/or on more than one PC. If you want to use them, you’ll have to use them from the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
It may not run with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
I’ve also had someone mention that if the DOS screen comes and goes to quickly to read if there’s no infection. I haven’t been able to replicate that, so have asked for more information.
If you have further questions on this, please visit the support pages at http://www.eset.eu/support.
SEE THE HISTORY[MAIN PAGE FOR MOE TUTORIALS AND TOOLS FOR CONFICKER C REMOVAL]
THE ABOVE MEHOD IS JUST 1 METHOD OUT OF THE MASSES.
FOR MORE SECURITY ALWAYS USE ALL THE METHODS AVAILABLE.
Now, Techie Buzz has brought into light another Conficker removal tool released by renowned anti-virus and security company McAfee. They’ve released a Conficker removal tool by the name Stinger which scans and removes 11 trojans and their variants, including Conficker.
download
Conficker Removal with MSRT
1. Symptoms to help you determine if you are infected
· Account lockout policies are being tripped
· Domain Controllers are being hammered
· Network congestion
· Sluggish Client Behavior
2. Steps to help you recover
Patch and clean – apply MS08-067 and review this info on weak passwords
· Weak Password and Lockout policy info
What you should know about strong passwords: http://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc
http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx
http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp
Password Best Practices:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp
Accounts Passwords and Lockout Policies:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
Account Lockout and Management Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en
· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx
3. Malware Removal
1. MSRT - The updated MSRT will be live Tuesday 13 January; however you must remember that conficker breaks automatic updates, so we will need to also reference these KBs for manual download information and alternate enterprise deployment steps:
KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/890830
KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
http://support.microsoft.com/kb/891716
2. FCS/ OneCare
3. Competitive AV
4. Manual Cleanup - This template supplies the manual cleanup steps and a script. (in a separate post)
See these blog posts for additional resources
http://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx
http://msblogs/csssecurity/Lists/Posts/Post.aspx?ID=124
http://msblogs/csssecurity/Lists/Posts/Post.aspx?ID=123
http://myemea/sites/henkvanr/Blog/Lists/Posts/Post.aspx?ID=5
Published Wednesday, January 14, 2009 10:07 AM by RockyH
This page is designed to provide IT Pro customers the information they need to help protect their systems from the Conficker Worm, or to recover systems that have been infected.
If you are a consumer, please visit Protect Yourself from the Conficker Computer Worm.
About Conficker
On October 23, 2008, Microsoft released a critical security update, MS08-067, to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network "worms." Since the release of MS08-067, the Microsoft Malware Protection Center (MMPC) has identified the following variants of Win32/Conficker:
Worm:Win32/Conficker.A: identified by the MMPC on November 21, 2008
Worm:Win32/Conficker.B: identified by the MMPC on December 29, 2008
Worm:Win32/Conficker.C: identified by the MMPC on February 20, 2009*
Worm:Win32/Conficker.D: identified by the MMPC on March 4, 2009** *Also known as Conficker B++
**Also known as Conficker.C and Downadup.C
What Happens on April 1, 2009?
Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the "peer-to-peer" updating channel in the latest version of Conficker.
Protecting PCs from Conficker
Apply the security update associated with MS08-067. View the security bulletin for more information about the vulnerability, affected software, detection and deployment tools and guidance, and security update deployment information.
Make sure you are running up-to-date antivirus software from a trusted vendor, such as Microsoft's Forefront Client Security or Windows Live OneCare. Antivirus software may also be obtained from trusted third parties such as the members of the Virus Information Alliance.
Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. The Microsoft Active Protection Program (MAPP) provides partners with early access to Microsoft vulnerability information. For a list of partners and links to their active protections, please visit the MAPP Partners page.
Isolate legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 967715. Microsoft released Security Advisory 967940 to notify users that the updates to allow users to disable AutoPlay/AutoRun capabilities have been deployed via automatic updating channels.
NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 967715 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.
Cleaning Systems of Conficker
Manually download the Windows Malicious Software Removal Tool (MSRT) onto uninfected PCs and deploy to infected PCs to clean infected systems.
Conficker Timeline
On November 21, 2008, the MMPC identified Worm:Win32/Conficker.A. This worm seeks to propagate itself by exploiting the vulnerability addressed in MS08-067 through network-based attacks. The MMPC added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
On November 25, 2008, the MMPC communicated information about Worm:Win32/Conficker.A through their weblog.
On December 29, 2008, the MMPC identified the second variant, Worm:Win32/Conficker.B, and added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
NOTE: Worm:Win32/Conficker.B can be successful against systems that have applied the security update associated with MS08-067.
On December 31, 2008, the MMPC communicated information about Worm:Win32/Conficker.B through their weblog.
On January 13, 2009, the MMPC included the ability to remove both Worm:Win32/Conficker.A and Worm:Win32/Conficker.B in the January 2009 release of the Windows Malicious Software Removal Tool and communicated information about this through their weblog.
On January 22, 2009, the MMPC provided consolidated technical information about Worm:Win32/Conficker.B on their weblog.
On February 12, 2009, the Microsoft Security Response Center (MSRC) released information about domains that Conficker-infected systems try to connect to. Microsoft also announced information on a partnership with technology industry and academic leaders designed to disable domains targeted by Conficker.
On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide.
On February 20, 2009, the MMPC provided technical information about Worm:Win32/Conficker.C on their weblog.
On March 27, 2009, the MMPC provided more details about the new P2P functionality in Worm:Win32/Conficker.D on their weblog.
Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, +1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com, where tips can be shared.
Stop Conficker from spreading by using Group Policy
NotesThis procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Conficker.b variant" section of this Knowledge Base article to manually remove the malware from the system.
Please carefully read and understand the note in step 4 of this procedure.
This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Conficker.b variant" section of this Knowledge Base article to manually remove the malware from the system.
Please carefully read and understand the note in step 4 of this procedure.
Create a new policy that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.
To do this, follow these steps: Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
This prevents the random named malware service from being created in the netsvcs registry value.
To do this, follow these steps: Open the Group Policy Management Console (GPMC).
Create a new Group Policy object (GPO). Give it any name that you want.
Open the new GPO, and then move to the following folder:
Computer Configuration\Windows Settings\Security Settings\Registry
Right-click Registry, and then click Add Key.
In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Click OK.
In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
Click OK.
In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
Click OK.
Open the Group Policy Management Console (GPMC).
Create a new Group Policy object (GPO). Give it any name that you want.
Open the new GPO, and then move to the following folder:
Computer Configuration\Windows Settings\Security Settings\Registry
Right-click Registry, and then click Add Key.
In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Click OK.
In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
Click OK.
In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
Click OK.
Set the policy to remove write permissions to the %windir%\tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can re-infect the system.
To do this, follow these steps: In the same GPO that you created earlier, move to the following folder:
Computer Configuration\Windows Settings\Security Settings\File System
Right-click File System, and then click Add File.
In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder: dialog box.
Click OK.
In the dialog box that opens, click to clear the check boxes for Full Control, Modify and Write for both Administrators and System.
Click OK.
In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
Click OK.
In the same GPO that you created earlier, move to the following folder:
Computer Configuration\Windows Settings\Security Settings\File System
Right-click File System, and then click Add File.
In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder: dialog box.
Click OK.
In the dialog box that opens, click to clear the check boxes for Full Control, Modify and Write for both Administrators and System.
Click OK.
In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
Click OK.
Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.
To do this, follow these steps: In the same GPO that you created earlier, move to one of the following folders: For a Windows Server 2003 domain, move to the following folder:
Computer Configuration\Administrative Templates\System
For a Windows 2008 domain, move to the following folder:
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
For a Windows Server 2003 domain, move to the following folder:
Computer Configuration\Administrative Templates\System
For a Windows 2008 domain, move to the following folder:
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
Open the Turn off Autoplay policy.
In the Turn off Autoplay dialog box, click Enabled.
In the drop-down menu, click All drives.
Click OK.
In the same GPO that you created earlier, move to one of the following folders: For a Windows Server 2003 domain, move to the following folder:
Computer Configuration\Administrative Templates\System
For a Windows 2008 domain, move to the following folder:
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
For a Windows Server 2003 domain, move to the following folder:
Computer Configuration\Administrative Templates\System
For a Windows 2008 domain, move to the following folder:
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
Open the Turn off Autoplay policy.
In the Turn off Autoplay dialog box, click Enabled.
In the drop-down menu, click All drives.
Click OK.
Disable the local administrator account. This blocks the Conficker malware from using the brute force password attack against the administrator account on the system.
Note Do not follow this step if you link the GPO to the domain controller's OU because you could disable the domain administrator account. If you have to do this on the domain controllers, create a separate GPO that does not link the GPO to the domain controller's OU, and then link the new separate GPO to the domain controller's OU.
To do this, follow these steps: In the same GPO that you created earlier, move to the following folder:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Open Accounts: Administrator account status.
In the Accounts: Administrator account status dialog box, click to select the Define this policy check box.
Click Disabled.
Click OK.
In the same GPO that you created earlier, move to the following folder:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Open Accounts: Administrator account status.
In the Accounts: Administrator account status dialog box, click to select the Define this policy check box.
Click Disabled.
Click OK.
Close the Group Policy Management Console.
Link the newly created GPO to the location that you want it to apply to.
Allow for enough time for Group Policy to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
After the Group Policy has propagated, clean the systems of malware.
To do this, follow these steps: Run full antivirus scans on all computers.
If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page:
http://www.microsoft.com/security/malwareremove/default.mspx
Note You may still have to take some manual steps to clean all the effects of the malware. To clean all the effects that are left behind by the malware, follow the steps that are listed in the "Manual steps to remove the Conficker.b variant" section of this Knowledge Base article.
Run the Malicious Software Removal tool
The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
You can download the MSRT from either of the following Microsoft Web sites:
http://www.update.microsoft.com
http://support.microsoft.com/kb/890830
For more information about specific deployment details for the MSRT, click the following article number to view the article in the Microsoft Knowledge Base:
891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as a component of the Microsoft Desktop Optimization Pack 6.0 or through Customer Service and Support. To obtain the Microsoft Desktop Optimization Pack, visit the following Microsoft Web site:
http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx
If Windows Live OneCare or Microsoft Forefront Client Security is running on the system, these programs also block the threat before it is installed.
Back to the top
Manual steps to remove the Conficker.b variant
The following detailed steps can help you manually remove Conficker.b from a system: Log on to the system by using a local account.
Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged on user credentials. This behavior allows the malware to spread.
Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.
Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on production servers because this step will affect network resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.
To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps: Depending on your system, do the following: In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
Double-click Server.
Click Stop.
Select Disabled in the Startup type box.
Click Apply.
Depending on your system, do the following: In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
Double-click Server.
Click Stop.
Select Disabled in the Startup type box.
Click Apply.
Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
Stop the Task Scheduler service. To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
In the details pane, right-click the Start DWORD entry, and then click Modify.
In the Value data box, type 4, and then click OK.
Exit Registry Editor, and then restart the computer.
To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
In the details pane, right-click the Start DWORD entry, and then click Modify.
In the Value data box, type 4, and then click OK.
Exit Registry Editor, and then restart the computer.
Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a computer.
Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc875814.aspx
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, right-click the netsvcs entry, and then click Modify.
Scroll down to the bottom of the list. If the computer is infected with Conficker.b, a random service name will be listed. For example, in this procedure, we will assume the name of the malware service is "gzqmiijz". Note the name of the malware service. You will need this information later in this procedure.
Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.
Note All the entries in the following list are valid. Do not delete any of these entries. The entry that must be deleted will be a randomly generated name that is the last entry in the list. AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
EventSystem
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Sacsvr
Schedule
Seclogon
SENS
Sharedaccess
Themes
TrkWks
TrkSvr
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wuauserv
BITS
ShellHWDetection
uploadmgr
WmdmPmSN
xmlprov
AeLookupSvc
helpsvc
axyczbfsetg
Restrict permissions on the SVCHOST registry key so that it cannot be written to again. To do this, follow these steps.
NotesYou must restore the default permissions after the environment has been fully cleaned.
In Windows 2000, you must use Regedt32 to set registry permissions.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Right-click the Svchost subkey, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced dialog box, click Add.
In the Select User, Computer or Group dialog box, type everyone, and then click Check Names.
Click OK.
In the Permissions Entry for SvcHost dialog box, select This key only in the Apply onto list, and then click to select the Deny check box for the Set Value permission entry.
Click OK two times.
Click Yes when you receive the Security warning prompt.
Click OK.
You must restore the default permissions after the environment has been fully cleaned.
In Windows 2000, you must use Regedt32 to set registry permissions.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Right-click the Svchost subkey, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced dialog box, click Add.
In the Select User, Computer or Group dialog box, type everyone, and then click Check Names.
Click OK.
In the Permissions Entry for SvcHost dialog box, select This key only in the Apply onto list, and then click to select the Deny check box for the Set Value permission entry.
Click OK two times.
Click Yes when you receive the Security warning prompt.
Click OK.
In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry was "gzqmiijz". Using this information, follow these steps: In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzqmiijz
Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced Security Settings dialog box, click to select both of the following check boxes:
Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
Replace permission entries on all child objects with entries shown here that apply to child objects
In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzqmiijz
Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced Security Settings dialog box, click to select both of the following check boxes:
Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
Replace permission entries on all child objects with entries shown here that apply to child objects
Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLL that loads as "ServiceDll" To do this, follow these steps: Double-click the ServiceDll entry.
Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following: %SystemRoot%\System32\emzlqqd.dll
%SystemRoot%\System32\emzlqqd.dll
Rename the reference to resemble the following: %SystemRoot%\System32\emzlqqd.old
Click OK.
Double-click the ServiceDll entry.
Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following: %SystemRoot%\System32\emzlqqd.dll
%SystemRoot%\System32\emzlqqd.dll
Rename the reference to resemble the following: %SystemRoot%\System32\emzlqqd.old
Click OK.
Remove the malware service entry from the Run subkey in the registry. In Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 13b. Delete the entry.
Exit Registry Editor, and then restart the computer.
In Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 13b. Delete the entry.
Exit Registry Editor, and then restart the computer.
Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then verify that is a valid Autorun.inf file. The following is an example of a typical valid Autorun.inf file. [autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
A valid Autorun.inf is typically 1 to 2 kilobytes (KB).
Delete any Autorun.inf files that do not seem to be valid.
Restart the computer.
Make hidden files visible. To do this, type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
Set Show hidden files and folders so you can see the file. To do this, follow these steps: In step 13b, you noted the path of the referenced DLL file for the malware. For example, you noted a path that resembles the following:
%systemroot%\System32\emzlqqd.dll
In Windows Explorer, open the %systemroot%\System32 directory, or the directory that contains the malware.
Click Tools, and then click Folder Options.
Click the View tab.
Select the Show hidden files and folders check box.
Click OK.
In step 13b, you noted the path of the referenced DLL file for the malware. For example, you noted a path that resembles the following:
%systemroot%\System32\emzlqqd.dll
In Windows Explorer, open the %systemroot%\System32 directory, or the directory that contains the malware.
Click Tools, and then click Folder Options.
Click the View tab.
Select the Show hidden files and folders check box.
Click OK.
Select the DLL file.
Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps: Right-click the DLL file, and then click Properties.
Click the Security tab.
Click Everyone, and then click to select the Full Control check box in the Allow column.
Click OK.
Right-click the DLL file, and then click Properties.
Click the Security tab.
Click Everyone, and then click to select the Full Control check box in the Allow column.
Click OK.
Delete the referenced DLL file for the malware. For example, delete the %systemroot%\System32\emzlqqd.dll file.
Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using the Services Microsoft Management Console (MMC).
Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps: Depending on your system, install one of the following updates: If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
Note Update 953252 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 24b.
Type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
Depending on your system, install one of the following updates: If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
Note Update 953252 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 24b.
Type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
If the system is running Windows Defender, re-enable the Windows Defender autostart location. To do this, type the following command at the command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe –hide" /f
For Windows Vista and later operating systems, the malware changes the global setting for TCP Receive Window Auto-tuning to disabled. To change this setting back, type the following command at a command prompt:
netsh interface tcp set global autotuning=normal
Log on to the system by using a local account.
Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged on user credentials. This behavior allows the malware to spread.
Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.
Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on production servers because this step will affect network resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.
To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps: Depending on your system, do the following: In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
Double-click Server.
Click Stop.
Select Disabled in the Startup type box.
Click Apply.
Depending on your system, do the following: In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
Double-click Server.
Click Stop.
Select Disabled in the Startup type box.
Click Apply.
Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
Stop the Task Scheduler service. To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
In the details pane, right-click the Start DWORD entry, and then click Modify.
In the Value data box, type 4, and then click OK.
Exit Registry Editor, and then restart the computer.
To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
In the details pane, right-click the Start DWORD entry, and then click Modify.
In the Value data box, type 4, and then click OK.
Exit Registry Editor, and then restart the computer.
Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a computer.
Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc875814.aspx
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, right-click the netsvcs entry, and then click Modify.
Scroll down to the bottom of the list. If the computer is infected with Conficker.b, a random service name will be listed. For example, in this procedure, we will assume the name of the malware service is "gzqmiijz". Note the name of the malware service. You will need this information later in this procedure.
Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.
Note All the entries in the following list are valid. Do not delete any of these entries. The entry that must be deleted will be a randomly generated name that is the last entry in the list. AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
EventSystem
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Sacsvr
Schedule
Seclogon
SENS
Sharedaccess
Themes
TrkWks
TrkSvr
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wuauserv
BITS
ShellHWDetection
uploadmgr
WmdmPmSN
xmlprov
AeLookupSvc
helpsvc
axyczbfsetg
Restrict permissions on the SVCHOST registry key so that it cannot be written to again. To do this, follow these steps.
NotesYou must restore the default permissions after the environment has been fully cleaned.
In Windows 2000, you must use Regedt32 to set registry permissions.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Right-click the Svchost subkey, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced dialog box, click Add.
In the Select User, Computer or Group dialog box, type everyone, and then click Check Names.
Click OK.
In the Permissions Entry for SvcHost dialog box, select This key only in the Apply onto list, and then click to select the Deny check box for the Set Value permission entry.
Click OK two times.
Click Yes when you receive the Security warning prompt.
Click OK.
You must restore the default permissions after the environment has been fully cleaned.
In Windows 2000, you must use Regedt32 to set registry permissions.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Right-click the Svchost subkey, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced dialog box, click Add.
In the Select User, Computer or Group dialog box, type everyone, and then click Check Names.
Click OK.
In the Permissions Entry for SvcHost dialog box, select This key only in the Apply onto list, and then click to select the Deny check box for the Set Value permission entry.
Click OK two times.
Click Yes when you receive the Security warning prompt.
Click OK.
In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry was "gzqmiijz". Using this information, follow these steps: In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzqmiijz
Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced Security Settings dialog box, click to select both of the following check boxes:
Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
Replace permission entries on all child objects with entries shown here that apply to child objects
In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzqmiijz
Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
In the Permissions Entry for SvcHost dialog box, click Advanced.
In the Advanced Security Settings dialog box, click to select both of the following check boxes:
Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
Replace permission entries on all child objects with entries shown here that apply to child objects
Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLL that loads as "ServiceDll" To do this, follow these steps: Double-click the ServiceDll entry.
Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following: %SystemRoot%\System32\emzlqqd.dll
%SystemRoot%\System32\emzlqqd.dll
Rename the reference to resemble the following: %SystemRoot%\System32\emzlqqd.old
Click OK.
Double-click the ServiceDll entry.
Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following: %SystemRoot%\System32\emzlqqd.dll
%SystemRoot%\System32\emzlqqd.dll
Rename the reference to resemble the following: %SystemRoot%\System32\emzlqqd.old
Click OK.
Remove the malware service entry from the Run subkey in the registry. In Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 13b. Delete the entry.
Exit Registry Editor, and then restart the computer.
In Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 13b. Delete the entry.
Exit Registry Editor, and then restart the computer.
Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then verify that is a valid Autorun.inf file. The following is an example of a typical valid Autorun.inf file. [autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
A valid Autorun.inf is typically 1 to 2 kilobytes (KB).
Delete any Autorun.inf files that do not seem to be valid.
Restart the computer.
Make hidden files visible. To do this, type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
Set Show hidden files and folders so you can see the file. To do this, follow these steps: In step 13b, you noted the path of the referenced DLL file for the malware. For example, you noted a path that resembles the following:
%systemroot%\System32\emzlqqd.dll
In Windows Explorer, open the %systemroot%\System32 directory, or the directory that contains the malware.
Click Tools, and then click Folder Options.
Click the View tab.
Select the Show hidden files and folders check box.
Click OK.
In step 13b, you noted the path of the referenced DLL file for the malware. For example, you noted a path that resembles the following:
%systemroot%\System32\emzlqqd.dll
In Windows Explorer, open the %systemroot%\System32 directory, or the directory that contains the malware.
Click Tools, and then click Folder Options.
Click the View tab.
Select the Show hidden files and folders check box.
Click OK.
Select the DLL file.
Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps: Right-click the DLL file, and then click Properties.
Click the Security tab.
Click Everyone, and then click to select the Full Control check box in the Allow column.
Click OK.
Right-click the DLL file, and then click Properties.
Click the Security tab.
Click Everyone, and then click to select the Full Control check box in the Allow column.
Click OK.
Delete the referenced DLL file for the malware. For example, delete the %systemroot%\System32\emzlqqd.dll file.
Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using the Services Microsoft Management Console (MMC).
Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps: Depending on your system, install one of the following updates: If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
Note Update 953252 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 24b.
Type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
Depending on your system, install one of the following updates: If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 How to correct "disable Autorun registry key" enforcement in Windows
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
Note Update 953252 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 24b.
Type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
If the system is running Windows Defender, re-enable the Windows Defender autostart location. To do this, type the following command at the command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe –hide" /f
For Windows Vista and later operating systems, the malware changes the global setting for TCP Receive Window Auto-tuning to disabled. To change this setting back, type the following command at a command prompt:
netsh interface tcp set global autotuning=normal
If, after you complete this procedure, the computer seems to be reinfected, either of the following conditions may be true: One of the autostart locations was not removed. For example, either the AT job was not removed, or an Autorun.inf file was not removed.
The security update for MS08-067 was installed incorrectly
One of the autostart locations was not removed. For example, either the AT job was not removed, or an Autorun.inf file was not removed.
The security update for MS08-067 was installed incorrectly
This malware may change other settings that are not addressed in this Knowledge Base article. Please visit the following Microsoft Malware Protection Center Web page for the latest details about Win32/Conficker.b:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker
Back to the top
Verify that the system is clean
Verify that the following services are started: Automatic Updates (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Defender (windefend) (if applicable)
Windows Error Reporting Service
Automatic Updates (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Defender (windefend) (if applicable)
Windows Error Reporting Service
To do this, type the following commands at the command prompt. Press ENTER after each command:
Sc.exe query wuauserv
Sc.exe query bits
Sc.exe query windefend
Sc.exe query ersvc
After each command runs, you will receive a message that resembles the following:
SERVICE_NAME: wuauserv
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
In this example, "STATE : 4 RUNNING" indicates that the service is running.
To verify the status of the SvcHost registry subkey, follow these steps: In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, double-click netsvcs, and then review the service names that are listed. Scroll down to the bottom of the list. If the computer is reinfected with Conficker.b, a random service name will be listed. For example, in this procedure, the name of the malware service is "gzqmiijz".
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the details pane, double-click netsvcs, and then review the service names that are listed. Scroll down to the bottom of the list. If the computer is reinfected with Conficker.b, a random service name will be listed. For example, in this procedure, the name of the malware service is "gzqmiijz".
If these steps do not resolve the issue, contact your antivirus software vendor. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
49500 List of antivirus software vendors
If you do not have an antivirus software vendor, or your antivirus software vendor cannot help, contact Microsoft Consumer Support Services for more help.
Back to the top
After the environment is fully cleaned
After the environment is fully cleaned, do the following: Re-enable the Server service.
Restore the default permissions on the SVCHOST registry key.
Update the computer by installing any missing security updates. To do this, use Windows Update, Microsoft Windows Server Update Services (WSUS) server, Systems Management Server (SMS), System Center Configuration Manager (SCCM), or your third-party update management product. If you use SMS or SCCM, you must first re-enable the Server service. Otherwise, SMS or SCCM may be unable to update the system.
Re-enable the Server service.
Restore the default permissions on the SVCHOST registry key.
Update the computer by installing any missing security updates. To do this, use Windows Update, Microsoft Windows Server Update Services (WSUS) server, Systems Management Server (SMS), System Center Configuration Manager (SCCM), or your third-party update management product. If you use SMS or SCCM, you must first re-enable the Server service. Otherwise, SMS or SCCM may be unable to update the system.
Back to the top
APPLIES TO
Windows Server 2008 Datacenter without Hyper-V
Windows Server 2008 Enterprise without Hyper-V
Windows Server 2008 for Itanium-Based Systems
Windows Server 2008 Standard without Hyper-V
Windows Server 2008 Datacenter
Windows Server 2008 Enterprise
Windows Server 2008 Standard
Windows Web Server 2008
Windows Vista Service Pack 1, when used with:
Windows Vista Business
Windows Vista Enterprise
Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Starter
Windows Vista Ultimate
Windows Vista Enterprise 64-bit Edition
Windows Vista Home Basic 64-bit Edition
Windows Vista Home Premium 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Business 64-bit Edition
Microsoft Windows Server 2003 Service Pack 1, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 2, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows XP Service Pack 2, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows XP Service Pack 3, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows 2000 Service Pack 4, when used with:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server
Aliases
Worm:Win32/Conficker.A (Microsoft)
Crypt.AVL (AVG)
Mal/Conficker-A (Sophos)
Trojan.Win32.Pakes.lxf (F-Secure)
Trojan.Win32.Pakes.lxf (Kaspersky)
W32.Downadup (Symantec)
Worm:Win32/Conficker.B (Microsoft)
WORM_DOWNAD.A (Trend Micro)
Characteristics -
----Update on March 10, 2009---
The risk assessment of this threat has been updated to Low-Profiled due to media attention at
http://www.thetechherald.com/article.php/200911/3157/Conficker-Worm-fighting-back-a-new-variant-discovered-disables-security-measures
A new variant of W32/Conficker.worm has been seen spreading. It copies itself to the following pathes:
%Sysdir%\[Random].dll
%Program Files%\Internet Explorer\[Random].dll
%Program Files%\Movie Maker\[Random].dll
%Program Files%\Windows Media Player\[Random].dll
%Program Files%\Windows NT\[Random].dll
It disables the following services:
WerSvc
ERSvc
BITS
wuauserv
WinDefend
wscsvc
It hooks the following functions in dnsapi.dll :
Query_Main
DnsQuery_W
DnsQuery_UTF8
DnsQuery_A
It hooks the following functions in ws2_32.dll:
sendto
The worm deletes the following registry key to disable restarting in safe mode:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
It terminates the processes that contains the following strings in name:
wireshark
unlocker
tcpview
sysclean
scct_
regmon
procmon
procexp
ms08-06
mrtstub
mrt.
mbsa.
klwk
kido
kb958
kb890
hotfix
gmer
filemon
downad
confick
avenger
autoruns
In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
windowsupdate
wilderssecurity
virus
virscan
trojan
trendmicro
threatexpert
threat
technet
symantec
sunbelt
spyware
spamhaus
sophos
secureworks
securecomputing
safety.live
rootkit
rising
removal
quickheal
ptsecurity
prevx
pctools
panda
onecare
norton
norman
nod32
networkassociates
mtc.sri
msmvps
msftncsi
mirage
microsoft
mcafee
malware
kaspersky
k7computing
jotti
ikarus
hauri
hacksoft
hackerwatch
grisoft
gdata
freeav
free-av
fortinet
f-secure
f-prot
ewido
etrust
eset
esafe
emsisoft
dslreports
drweb
defender
cyber-ta
cpsecure
conficker
computerassociates
comodo
clamav
centralcommand
ccollomb
castlecops
bothunter
avira
avgate
avast
arcabit
antivir
anti-
ahnlab
agnitum
The latest Conficker is known to generate 50,000 domain names using its own generator algorithm. The following is its disassembly snapshot.
The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:
com.ve
com.uy
com.ua
com.tw
com.tt
com.tr
com.sv
com.py
com.pt
com.pr
com.pe
com.pa
com.ni
com.ng
com.mx
com.mt
com.lc
com.ki
com.jm
com.hn
com.gt
com.gl
com.gh
com.fj
com.do
com.co
com.bs
com.br
com.bo
com.ar
com.ai
com.ag
co.za
co.vi
co.uk
co.ug
co.nz
co.kr
co.ke
co.il
co.id
co.cr
-------------------------------------------------------------
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.
hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.com
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)
hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
Symptoms -
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Users being locked out of directory
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.
Method of Infection -
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.
Scheduled tasks have been seen to be created on the system to re-activate the worm.
Autorun.inf files have been seen to be used to re-activate the worm.
Removal -
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
The Conficker worm is back with a vengeance, infecting over one million systems in the past 24 hours. The refined version of this malware scans networks for weakly protected machines and actively attempts to spread itself via USB thumb drives. Neither feature was present in the original version, and so far, the attack is working.
It has been over a month since we heard much about Conficker, but the worm has reappeared with a vengeance over the past seven days. According to Finnish security company F-Secure, more than one million PCs have been infected with the worm (also known as Kido or Downadup) in the past 24 hours, with a total of 3.52 million machines infected worldwide. According to F-Secure, that 3.52 million is a conservative estimate.
The problem isn't so much with the older version of Conficker (now known as Conficker.A) but with a new flavor, dubbed Conficker.B. Ars spoke with Roger Halbheer, Chief Security Advisor of Microsoft's EMEA (Europe, Middle East, and Africa); he's been monitoring (and writing) about the current spread of infections. The skyrocketing infection rate is actually being caused by several factors; Roger describes Conficker.B as a "beast," and Microsoft has built the following diagram to demonstrate how the worm functions.
Once run or given access to an unprotected machine, Conficker.B begins searching for other systems or shares within the local network that it can infect. Shared systems, removable drives, or unpatched systems are all eligible targets, as are machines with weak passwords. This last bit is an important new feature of Conficker.B; a complete list of the passwords it checks for can be found here. If Conficker.B manages to successfully guess a password, it moves in and continues hunting for new targets. Microsoft summarizes the new strain as follows:
Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Roger confirmed that the Malicious Software Removal Tool (MSRT) has checked for and removed Conficker.B since December 29, 2008, but it's not possible to access any Microsoft website once Conficker.B has infected a system; the worm blocks access to multiple domains based on string identification. If you've got a system that's infected, you'll need to download the latest MSRT from Microsoft on a clean system and run it manually.
Not all AV scanners currently detect Conficker.B, even if they've been updated to detect Conficker.A—I don't have a list of specific solutions that can't currently catch the new worm, but all of Microsoft's antimalware/antivirus products—Forefront, OneCare, and the Online Safety Scanner—will find Conficker.B if it's present (and you somehow haven't noticed). If there's a scrap of good news in all this, it's that Conficker.B is not a subtle worm.
Roger has provided some additional coverage on the worm that may be useful. First and foremost, he recommends installing MS08-067—this will not remove an existing infection, but it will guard against attack from either version of the agent, provided you aren't using weak passwords.
When Conficker.A first appeared, we raised the question of whether or not Microsoft should force updates in certain situations, and what those situations might be. In this case, even unilaterally enforced updates wouldn't solve the problem of weak passwords, but it would have undoubtedly cut the number of new infections we are seeing today. The size of that reduction would be the point on which the value of forced updates would turn, and of course, that's the one thing we can't predict; there are holes in existing AV products that would allow Conficker.B through, and the worm will attack and infect machines using weak passwords. Depending on how you view the situation; this second strain could reinforce the need for mandatory updates or blow a hole in the argument.
Part of the reason for the problem, however, must inevitably come back upon the users, IT administrators, or managers that opted not to install the patch. As Roger writes: "If you decide not to roll out a security update which is so critical that we decide to go out of band, you play Russian Roulette with your network...The same is actually true if you do not run and maintain an appropriate Anti-Malware solution...Now, if we look at Conficker.B: This is really an ugly beast: You need just one infected machine in your network in order to have it spread across your network fast and aggressively. You can get it even through a USB-stick...it just needs one unpatched/infected machine."
Indeed. Based on the characteristics of a worm such as this, even mandatory updates would only be one facet of prevention.
Conficker,which is known by different names like KIDO,DOWNANDUP,DOWNUP was first analysed and seen in the month of october 2008;when researchers claimed that the worm exploits a known vulnerability of the WINDOWS SERVER and attacks only the windows operating system's like windows 2000 ,vista,xp,windows server 2008 and also the newly released windows 7 beta.Till now OR as of date it has infected 10 million computers including PC's and infranets.It has been confirmed that since october it was just installing on machines and was spreading by scanning weak/compromised servers.
BUT now it has also been confirmed that on april 1 it will get further instructions from its main server.IT will begin checking for a payload to download on April 1, 2009.
HENCE THE COUNTDOWN.
The Payload
The "A" variant of Conficker will create an HTTP server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore points, and download files to the target computer.The other variants are said to have payload that will activate on April 1.
Symptoms of infection
Account lockout policies being reset automatically.
Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
Domain controllers respond slowly to client requests.
System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
On websites related to antivirus software, Windows system updates cannot be accessed.
Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
Impact
Experts say it is the worst infection since the SQL Slammer.[14] Estimates of the number of computers infected range from almost 9 million PCs[15][16] to 15 million computers.
Another antivirus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.
The potential scale of infection is large because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008 to block this vulnerability.
The U.K. Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.
On February 1, 2009, Schools in the town of Rochdale, England were infected. The virus spread to 13 schools estimated to have infected 7,500 computers.
On February 6, 2009, the computers used by the Houston Municipal Courts were infected with Conficker. How the virus got into the system is unknown.
On February 13, the Bundeswehr reported that some hundred of their computers were infected.
On March 27, 2009, the British Director of Parliamentary ICT released a (leaked) memo stating that the House of Commons computer network has been infected with the virus and called for all people who have access the network to use caution and to not connect any unauthorized equipment to the network.
Response
On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.
As of February 13, 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.
Patching and removal
On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability.Removal tools are available from Microsoft,BitDefender,ESET, Symantec,Sophos,and Kaspersky Lab,while McAfee and AVG can remove it with an on-demand scan.While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media (through modifying the Windows Registry) is recommended.[39] However the United States Computer Emergency Readiness Team describe Microsoft's guidelines on disabling Autorun as being "not fully effective," and they provide their own guides.Microsoft has released a removal guide for the worm via the Microsoft website.
Also, on March 16, 2009, BitDefender released an updated tool to remove the already famous Downadup/Conficker worm on a new domain that has not been blocked by the malicious computer code at a website called "bdtools.net", it also comes as a separate installer dedicated to network administrators. In this way, the scanner can be dispatched throughout networks in order to remotely scan and disinfect workstations.