Malicious Software Removal Tool removes Win32/Conficker.B

  • Article

Hi All,

We’re seeing an increasing trend globally in the number of infections of the Conficker.B worm. The update released today for the MSRT will remove and clean. If you haven’t deployed MS08-067, please ensure you clean and deploy this patch as soon as possible!

Symptoms to help you determine if you are infected with Conficker

- Domain Controllers are being hammered

- Network congestion

- Sluggish client behavior

- If account lockout policy is in use, we may see some domain accounts keep locking out

- If account lockout policy is not in use, we may see the LSASS.EXE process high CPU on the domain controller (DC)

- On the infected clients, we may see the following services are disabled:

Windows Update Service
Background Intelligent Transfer Service
Windows Defender
Windows Error Reporting Services

- Users may not be able to access Microsoft website or some other antivirus software vendor’s websites from the infected clients.

- Previous saved system restore points may have been removed

How to verify if my computer is infected by Conficker.B?

- If there are recent account lockout incidents in your company environment, you should pay attentions to this worm.

- If the system is infected by Conficker.B, the virus will add a random service name to the bottom line of the netsvcs value.

We can also check the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

Steps to help you recover

Patch and clean – on all the clients and servers and review the following information on weak passwords

· Weak Password and Lockout policy information

· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
https://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx

- Keep the antivirus software up to date and then scan the systems

- Change user passwords on infected machines  Also apply strong password policy in the domain

- Pay attention to USB drives and mapped network drives, perform full antivirus scan on those drives if possible.

- On the firewall or proxy server, block any URL requests contain a string “search?q=%d”

- Set the Automatic Updates service and Background Intelligent Transfer Service service to Automatic in domain group policy

Malware Removal

1.  The updated MSRT is now live; however you must remember that conficker breaks automatic updates, so these references will be useful should you need to undertake a  manual download.

KB890830 - The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

KB891716 -  Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

2. Forefront Client Security / OneCare

3. Alternative Antivirus Product from other vendors

4. Manual Cleanup - This template supplies the manual cleanup steps and a script

See these blog posts for additional resources

https://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B

https://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx

https://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx

Nick.