Conficker Infection Detection And Removal-1 If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms: Win32/Conficker.B has multiple propagation methods. These include the following: Therefore, you must be careful when you clean a network so that the threat is not reintroduced to systems that have previously been cleaned. Notes Create a new policy that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost This prevents the random named malware service from being created in the netsvcs registry value. a. Open the Group Policy Management Console (GPMC). b. Create a new Group Policy object (GPO). Give it any name that you want. c. Open the new GPO, and then move to the following folder: Computer Configuration\Windows Settings\Security Settings\Registry d. Right-click Registry, and then click Add Key. e. In the Select Registry Key dialog box, expand Machine, and then move to the following folder: Software\Microsoft\Windows NT\CurrentVersion\Svchost f. Click OK. g. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System. h. Click OK. i. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions. j. Click OK. 2. Set the policy to remove write permissions to the %windir%\tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can re-infect the system. . In the same GPO that you created earlier, move to the following folder: Computer Configuration\Windows Settings\Security Settings\File System a. Right-click File System, and then click Add File. b. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder: dialog box. c. Click OK. d. In the dialog box that opens, click to clear the check boxes for Full Control, Modify and Write for bothAdministrators and System. e. Click OK. f. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions. g. Click OK. 3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows. . In the same GPO that you created earlier, move to one of the following folders: § For a Windows Server 2003 domain, move to the following folder: Computer Configuration\Administrative Templates\System § For a Windows 2008 domain, move to the following folder: Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies a. Open the Turn off Autoplay policy. b. In the Turn off Autoplay dialog box, click Enabled. c. In the drop-down menu, click All drives. d. Click OK. 4. Disable the local administrator account. This blocks the Conficker malware from using the brute force password attack against the administrator account on the system. . In the same GPO that you created earlier, move to the following folder: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options a. Open Accounts: Administrator account status. b. In the Accounts: Administrator account status dialog box, click to select the Define this policy check box. c. Click Disabled. d. Click OK. 5. Close the Group Policy Management Console. 6. Link the newly created GPO to the location that you want it to apply to. 7. Allow for enough time for Group Policy to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment. 8. After the Group Policy has propagated, clean the systems of malware. . Run full antivirus scans on all computers. a. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page: http://www.microsoft.com/security/malwareremove/default.mspx Note You may still have to take some manual steps to clean all the effects of the malware. To clean all the effects that are left behind by the malware, follow the steps that are listed in the "Manual steps to remove the Conficker.b variant" section of this Knowledge Base article. The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family. http://www.update.microsoft.com 891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as a component of the Microsoft Desktop Optimization Pack 6.0 or through Customer Service and Support. To obtain the Microsoft Desktop Optimization Pack, visit the following Microsoft Web site: http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx If Windows Live OneCare or Microsoft Forefront Client Security is running on the system, these programs also block the threat before it is installed. source:http://www.microsoft.comStop Conficker from spreading by using Group Policy
To do this, follow these steps:
To do this, follow these steps:
To do this, follow these steps:
To do this, follow these steps:
Note Do not follow this step if you link the GPO to the domain controller's OU because you could disable the domain administrator account. If you have to do this on the domain controllers, create a separate GPO that does not link the GPO to the domain controller's OU, and then link the new separate GPO to the domain controller's OU.
To do this, follow these steps:
To do this, follow these steps:Run the Malicious Software Removal tool
You can download the MSRT from either of the following Microsoft Web sites:
http://support.microsoft.com/kb/890830
For more information about specific deployment details for the MSRT, click the following article number to view the article in the Microsoft Knowledge Base:
1 comments:
April 8, 2009 at 4:07 PM
Hi,
Good article. Sophos' Conficker removal tool can detect and remove all variants of the worm/virus.
As long as people run these tools it should stop any serious outbreak of the worm.
James
Post a Comment