Conficker Removal with MSRT

  • Article

1. Symptoms to help you determine if you are infected

· Account lockout policies are being tripped

· Domain Controllers are being hammered

· Network congestion

· Sluggish Client Behavior

2. Steps to help you recover

Patch and clean – apply MS08-067 and review this info on weak passwords

· Weak Password and Lockout policy info

What you should know about strong passwords: https://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc

https://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx

https://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp

https://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

https://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp

Password Best Practices: 
https://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp 

  
Accounts Passwords and Lockout Policies:
https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx 
 

Account Lockout and Management Tools:

https://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
https://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx

clip_image004

3. Malware Removal

1. MSRT - The updated MSRT will be live Tuesday 13 January; however you must remember that conficker breaks automatic updates, so we will need to also reference these KBs for manual download information and alternate enterprise deployment steps:

KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

https://support.microsoft.com/kb/890830

KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

https://support.microsoft.com/kb/891716

2. FCS/ OneCare

3. Competitive AV

4. Manual Cleanup - This template supplies the manual cleanup steps and a script. (in a separate post)

See these blog posts for additional resources
https://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B

https://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx

https://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx