How to Remove Conficker Malware

Picture
Win32/Conficker Worm
The Win32/Conficker C Worm hit the Net in force on April 1st 2009, although it was first reported to Microsoft in February of that year. Variants D & E, also released into the wild by the end of April 2009, made less of a splash. More variants forthcoming! Conficker is also known as 'Downadup' and 'Kido.' Microsoft issued critical security updates (patches), in October 2008, to protect machines running Windows 2000, XP, Vista, Server 2003 & Server 2008. Nevertheless, millions of un-patched machines remain vulnerable to these variants enabling Conficker to survive. Conficker B & C also copy files to USB thumb drives as a means to infect other computers. Conficker exploits a buffer overflow vulnerability part of which is responsible for enabling the sharing of resources, including printers and disks, with other machines on a network. This means it has P2P capability, unlike previous variants. The worm requires no assistance from the user to gain access. Use the following steps to enhance your Network Security.

Things You'll Need:
* Un-patched computers running Windows 2000, XP, Vista, Windows Server 2003 & 2008.

1. Try rebooting in Safe Mode, if you are wondering whether the Win32/Conficker Worm has infected your computer. Conficker won't let you do that! If your computer or Network has yet to become infected, you can protect your machine(s) against this vulnerability by visiting Microsoft Update and installing all high priority security patches the scan deems necessary. Un-patched machines with out-dated antivirus software, open shares, removable media or weak Network/Administrator passwords make easy targets! If infected, the worm will prevent you from visiting Microsoft Update or any of the major antivirus/antispyware websites. Microsoft recommends trying to access their Microsoft Security Essentials.

2. Protect your PC with decent spyware blockers like Avast! and Malwarebytes! Avast! also includes antivirus protection. Malwarebytes includes proactive protection against malicious processes. Both have an assortment of additional features. Best of all, they have free versions! Purchasing a License will unlock additional features in both.

3. Use removal software. The University of Bonn website includes a free set of six containment tools, specially prepared by Felix Leder and Tillmann Werner, members of the HoneyNet Project. The page includes the software downloads, along with their source code. Future versions of this teams malware removal software will adapt as new variants emerge.
One of the tools they developed, called 'Downatool2,' is used to generate domains for the Downadup/Conficker A, B & C variants. A Domain Collision tool for Conficker C , pre-computed with all the Domain names in advance of the April 2009 release and used to find collisions between Conficker generated Domains and real Domains.

4. Disinfect your computer memory using 'the Memory Disinfector,' or conciller.exe (formerly named "conficker_mem_killer.exe"), found on the University of Bonn's website. This program scans the memory of every running process and terminates infected tags without harming the process itself. This keeps necessary system services from shutting down. It runs in a Dos window.

5. The Conficker A variant used random file names and registry keys to wreak havoc. The B & C Variants, not random at all, based themselves on the host name. Regfile_01.exe is used to check for Conficker (B & C ) infected DLL's. Variant D, installed from previous versions, differed from them in that it did not spread through removable drives or shared folders. It did, however, relay command instructions via built-in P2P capabilities to other infected computers in a Network. Variant E, a timed updater for all previous versions, deleted its own program files on May 3 2009. The English alphabet consisting of 26 letters means at least 21 more possibilities for future threats from the creator of this Worm.

6. Implement the python script, scs2.py, to check for infected machines. Also found on the University of Bonn website, this Network scanner distinguishes between infected and clean machines and ticks a response from the Conficker worm causing it to give its location away. Lastly, the U. of Bonn's 'Nonficker Vaxination Tool' which, to put it simply, causes the Conficker worm to believe the machine(s) have already been infected with the latest variant. It will ignore machines with this specially coded DLL installed as a system service.

7. Consider an option from another highly recommended company by the name of Sophos. They have a single removal tool, 'Sophos confic-a Cleanup Tool', free for downloading. It requires registering an account which also provides the optional benefit of future threat notifications as they develop, via their 'Naked Security' newsletter. This tool runs in a Dos window.

8. Use the Task Manager to shut down any and all non-essential programs and services, before using any of the aforementioned tools. Not an issue if Conficker did not prevent rebooting into Safe Mode. Conficker hides activities under the legitimate name of 'svchost.exe' making them look like system or local services. Windows requires some of these so-named services to operate. By shutting down the wrong ones, you will cause the computer to shut down as well. This makes it difficult since, as long as Conficker is active it can trick detection software into overlooking it.

Picture
StopUSBAuto.reg
9. Use Notepad to create a simple registry edit which will disable the USB AutoRun feature. This inhibits Conficker's ability to automatically install itself via USB thumb drive, while allowing the user time to run a disinfect program.
Create a New Text Document, in your My Documents folder, and enter the following exactly as you see it. You may copy/paste this string:

  REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Save the text file as StopUSBAuto.txt and close it. Right-click and rename it as StopUSBAuto.reg. This will likely open a pop-up window, titled 'Rename,' which states "If you change a file name extension, the file may become unstable. Are you sure you want to change it?" Select Yes. The icon will change. Right-click on the file and select Merge then click Yes to complete the edit. If, for some unknown reason, Merge does not appear in your right-click menu, choose Open With and select Registry Editor. Don't worry, this Autorun feature can easily be manipulated using Microsoft Powertoys for Windows-Tweak UI.
Tips
* Be sure to include your USB drives in antivirus/antimalware scans.
* If you download any of the tools mentioned above, keep them in a special folder on your computer or burn them to a CD since, as I understand it, once your computer is infected, Conficker will prevent you from accessing USB drives.
* Before you run these removal tools, disable System Restore, to keep the worm from reinstalling on reboot. Run the tools again, before re-enabling System Restore, just as a precaution.
* Keep your Windows OS Software up to date by ensuring Automatic Update is enabled (found in the Control Panel).
* Keep a Firewall program running at all times. Windows Firewall does an acceptable job.
* Keep your spyware removal program updated to protect your machine(s).

Warnings
* If you have avast! antispyware/antimalware installed and try to install Microsoft Security Essentials , it will tell you to uninstall avast!, to avoid software conflicts and false-positives. This does not mean that you cannot run the complete online scan [without installing it]. Just temporarily disable your antivirus scanner, to avoid problems.

Copyright 04/01/2009 All Rights Reserved. Questions? Comments? Contact Me
Related Articles:
Anti virus/Anti malware - Sub Directory

Copyright © TomComKnowsHow

  •