Wednesday, July 29, 2009

Conficker: Easy cleaning steps

Hi guys,

Was at a client recently and found they've got a huge collection of the conficker worm residing around their network and causing mayhem.

I am actually quite surprise that some big brand AV products didn't quite do the job :(

It is important to know, if your network suddenly face these symptoms:
  1. Disable access to certain sites including Microsoft, known Antivirus sites
  2. Creates a lot of traffic on your network
  3. Makes domain controllers slow to respond
  4. Force account lockouts on domain computers
  5. Many other stuff (depending on the variant)
These symptoms could be due to Conficker. It could be already residing dormant and your antivirus could suddenly prompt a virus detected every once in a while.

Okay, this is meant to quickly get you started on the removal process. It's not meant to replace the extensive guide posted on Microsoft's website, but it's a summary of things you should immediately do/work on.

These are steps i took to fix problems quickly on a notebook and i've asked the client to do them on all workstations (which is something you need to do too..:) )...

  1. Perform Windows Update. http://windowsupdate.microsoft.com . Get service packs if needed. Run windows update at least twice.

    a. If you do not want to run Windows update, just get this patch: http://support.microsoft.com/kb/958644 the patch from the MS08-067.

    b. Download and install this KB patch http://support.microsoft.com/kb/967715/ .Look under the “Prerequisites to disable Autorun capabilities” section and download according to your system. Without this patch, some computers may not be able to disable network autorun function which the virus can propagate. Now, go ahead and disable autorun via GPO/manually like described in that article.

  2. Download and install (the free version). http://www.malwarebytes.org/mbam-download.php
    a. Close all running applications include browsers etc.
    b. Install the software
    c. Update the database (as instructed during setup)
    d. Run the scan (as instructed during setup)
Performing the above does not permanantly fix the problem, you still need to get your antivirus installed/updated to the latest if you've not already done so.

Also, to prevent further reinfection/propagation, do these for the time being;
  1. Stop the Task Schedular service in all your Windows machines. (this service allows you to automate processes based on time, such as windows backup. It is safe to remove them on workstations under the assumption that automated running programs are not needed on desktop levels)
  2. Stop the Server service on desktops (not server). The server service allows it to share files accross the network. To access shared files, is the Workstation service. Just stop the server service for the time being until you've got the network sorted out.
  3. Start scanning like the steps above.
The above should already sort you out quite a bit. After you've got the situation under control. Now, get those updates in place for both OS and AV.

No comments: