We’re seeing an increasing trend globally in the number of infections of the Conficker.B worm. The update released today for the MSRT will remove and clean. If you haven’t deployed MS08-067, please ensure you clean and deploy this patch as soon as possible!
Symptoms to help you determine if you are infected with Conficker
- Domain Controllers are being hammered
- Network congestion
- Sluggish client behavior
- If account lockout policy is in use, we may see some domain accounts keep locking out
- If account lockout policy is not in use, we may see the LSASS.EXE process high CPU on the domain controller (DC)
- On the infected clients, we may see the following services are disabled:
Windows Update Service
Background Intelligent Transfer Service
Windows Error Reporting Services
- Users may not be able to access Microsoft website or some other antivirus software vendor’s websites from the infected clients.
- Previous saved system restore points may have been removed
How to verify if my computer is infected by Conficker.B?
- If there are recent account lockout incidents in your company environment, you should pay attentions to this worm.
- If the system is infected by Conficker.B, the virus will add a random service name to the bottom line of the netsvcs value.
We can also check the following registry value:
Steps to help you recover
Patch and clean – on all the clients and servers and review the following information on weak passwords
· Weak Password and Lockout policy information
· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
- Keep the antivirus software up to date and then scan the systems
- Change user passwords on infected machines Also apply strong password policy in the domain
- Pay attention to USB drives and mapped network drives, perform full antivirus scan on those drives if possible.
- On the firewall or proxy server, block any URL requests contain a string “search?q=%d”
- Set the Automatic Updates service and Background Intelligent Transfer Service service to Automatic in domain group policy
1. The updated MSRT is now live; however you must remember that conficker breaks automatic updates, so these references will be useful should you need to undertake a manual download.
KB890830 - The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
KB891716 - Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
3. Alternative Antivirus Product from other vendors
4. Manual Cleanup - This template supplies the manual cleanup steps and a script
See these blog posts for additional resources