We’re seeing an increasing trend globally in the number of infections of the Conficker.B worm. The update released today for the MSRT will remove and clean. If you haven’t deployed MS08-067, please ensure you clean and deploy this patch as soon as possible!
Symptoms to help you determine if you are infected with Conficker
– Domain Controllers are being hammered
– Network congestion
– Sluggish client behavior
– If account lockout policy is in use, we may see some domain accounts keep locking out
– If account lockout policy is not in use, we may see the LSASS.EXE process high CPU on the domain controller (DC)
– On the infected clients, we may see the following services are disabled:
Windows Update Service
Background Intelligent Transfer Service
Windows Error Reporting Services
– Users may not be able to access Microsoft website or some other antivirus software vendor’s websites from the infected clients.
– Previous saved system restore points may have been removed
How to verify if my computer is infected by Conficker.B?
– If there are recent account lockout incidents in your company environment, you should pay attentions to this worm.
– If the system is infected by Conficker.B, the virus will add a random service name to the bottom line of the netsvcs value.
We can also check the following registry value:
Steps to help you recover
Patch and clean – on all the clients and servers and review the following information on weak passwords
· Weak Password and Lockout policy information
· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
– Keep the antivirus software up to date and then scan the systems
– Change user passwords on infected machines Also apply strong password policy in the domain
– Pay attention to USB drives and mapped network drives, perform full antivirus scan on those drives if possible.
– On the firewall or proxy server, block any URL requests contain a string “search?q=%d”
– Set the Automatic Updates service and Background Intelligent Transfer Service service to Automatic in domain group policy
1. The updated MSRT is now live; however you must remember that conficker breaks automatic updates, so these references will be useful should you need to undertake a manual download.
KB890830 – The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
KB891716 - Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
3. Alternative Antivirus Product from other vendors
4. Manual Cleanup – This template supplies the manual cleanup steps and a script
See these blog posts for additional resources