Conficker Removal with MSRT


1. Symptoms to help you determine if you are infected


· Account lockout policies are being tripped


· Domain Controllers are being hammered


· Network congestion


· Sluggish Client Behavior


2. Steps to help you recover


Patch and clean – apply MS08-067 and review this info on weak passwords


· Weak Password and Lockout policy info



What you should know about strong passwords: http://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc

http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx


http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp


http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx


http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp


Password Best Practices: 
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp 


  
Accounts Passwords and Lockout Policies: 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
 
 


Account Lockout and Management Tools:
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en


· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx


clip_image004


3. Malware Removal


1. MSRT – The updated MSRT will be live Tuesday 13 January; however you must remember that conficker breaks automatic updates, so we will need to also reference these KBs for manual download information and alternate enterprise deployment steps:


KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000


http://support.microsoft.com/kb/890830


KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment


http://support.microsoft.com/kb/891716


2. FCS/ OneCare


3. Competitive AV


4. Manual Cleanup – This template supplies the manual cleanup steps and a script. (in a separate post)


See these blog posts for additional resources
http://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B


http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx


http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx

Comments (0)