[KB2209] Conficker - Wie schütze ich mich selbst?

Problem

Es existiert eine Sicherheitslücke im Microsoft Betriebssystem, die zu der Bedrohung durch den Wurm Win32/Conficker führt (Microsoft hat im Oktober 2009 einen Patch für diese Sicherheitslücke veröffentlicht). Damit diese Bedrohung Ihr Microsoft Betriebssystem nicht infizieren kann, sollten Sie Ihren Rechner (und alle Rechner in Ihrem Netzwerk) immer mit den neuesten Updates für Ihr Microsoft Windows Betriebssystem installiert haben. Sie finden die neusten Updates immer auf http://update.microsoft.com/.

Damit Sie vor dem Wurm Conficker geschützt sind, folgen Sie den Anweisungen in diesem Artikel. Oder, klicken Sie auf den entsprechenden Link, der Sie zum entsprechenden Bereich bringt:

Lösung

Infektion verhindern

A - Laden Sie die Microsoft Sicherheitspatches herunter

Wenn Sie nicht alle Windows Updates herunterladen wollen, aber sicherstellen möchten, dass Sie zumindest gegen die Bedrohung durch den Wurm Win32/Conficker geschützt sind, laden Sie die Patches (KB958644, KB957097 und KB958687) herunter und installieren Sie die folgenden Microsoft Security Bulletins:

 

B - Deaktivieren Sie die Autorun and Autoplay Funktionen (Windows XP, Windows Vista und Windows 7)

You may want to disable the Autorun and Autoplay features in your Windows system to prevent malicious software makers from abusing these security flaws. USB drives and other removable media, which are accessed by the Autorun/Autoplay functionalities each time (by default) you connect them to your computer, are the most frequently used virus carriers these days. Microsoft Windows Autorun and Autoplay are features that were at first intended to simplify running CD content by automatically:

(i) executing the Autorun.inf file (and whatever possible malicious instructions it contains) - Autorun vulnerability

(ii) opening a pop-up window with available actions (some of which may be hostile triggers taken over from a malicious Autorun.inf) - Autoplay vulnerability

NOTE:

Some terms used in the steps below may slightly differ, depending on your browser.

  1. If you want to disable Autorun and Autoplay right-click this link to download the DisableAutorun.reg file and select Save link as...
     
  2. In the Save As window ensure that:

    (i) the Save As Type drop-down menu is set to All files or Registration Entries (*.reg) (or similar, depending on your browser)

    (ii) the File Name field contains the exact name of the registry file (i.e. DisableAutorun.reg)
     
  3. Click Save. Confirm any prompts to save the registry file.
     
  4. Double-click the saved file and confirm adding the registry entry by clicking Yes. Click OK to finish.

Warning:

After importing the downloaded file into your Windows Registry, any Autorun.inf file will be ignored by your system. While this disables the Autorun functionality completely, the Autoplay feature will continue to pop-up, however, it will exclude the potentially dangerous Autorun.inf options. You must keep in mind that these preventive security measures do not eradicate potential malware infections. We recommend strict caution when opening/executing/clicking any unknown files!

Important!

The downloaded file must be saved as a .reg extension to work properly. If double-clicking the file does not run bring up the Registry editor dialog window, right-click the file icon, select Properties and edit the filename on the General tab to ensure the last four strings of the filename are .reg. Confirm any prompts to save your changes.

NOTE:

We recommend reading the following article for more information about this solution.


B2 - How to re-enable Autorun and Autoplay (Windows XP and Windows Vista)

If you need to undo the changes you have made following the instructions in section B (above) right-click this link to download the ReenableAutorun.reg file and repeat the instructions from section B (above) only this time use the ReenableAutorun.reg file.

Important!

You will need to restart your computer for the changes to take effect.

NOTE:

In addition to downloading and installing the latest security patches, you can take other precautionary measures to reduce the risk of infection. Click here for more strategies to minimize the risk of a malware attack. If you are a network administrator, click here for steps you can take to minimize the rest of an infection on your network.

 

Säubern (Einzelner Rechner)


If you encounter or have encountered the Win32/Conficker malware, a fully updated version of an ESET security product (version 3.0 or later) will clean the infection.

Important!

To avoid re-infecting the operating system, it must be properly patched using all links from Bereich A above.

  1. Disconnect the infected computer from the network and the Internet.
     
  2. Use an uninfected PC to download the respective Windows patches from section A above. Install all patches.

  3. Reset your system passwords to admin accounts using more sophisticated ones. Note that the infiltration can spread through shared folders.

    (i.) Press CTRL+ALT+DELETE, and then click Change password...

    (ii.) Type your old password, type your new password, type your new password again to confirm it, and then press ENTER.
     
  4. Download an one-off ESET application (again, using a non-infected PC) which will remove the worm. If you don't have an ESET security product (3.0 or later) installed, you can download (using a non-infected PC) and run our free standalone cleaner:
    http://download.eset.com/special/EConfickerRemover.exe
     
  5. Download and Install the newest version of your ESET software.
     
 
To verify that the standalone cleaner removed the Conficker threat, rerun the standalone cleaner and then run a scan with your ESET security product.
 
After successfully running the ESET standalone cleaner, we recommend that you read the following Microsoft article for information about important security patches and recommended group changes:

NOTE:

If the ESET standalone cleaner does not fully remove the Conficker threat, the Microsoft article above also contains manual Conficker removal instructions.


 
For maximum protection against future threats, make sure your operating system is patched according to Microsoft's recommendations and that your ESET security product is up to date.

Important!

To find further information on protecting yourself against the Conficker worm please refer to our following Conficker (Update) Blog: http://blog.eset.com/2009/03/28/conficker-removal

Säubern (Netzwerk)

  1. If you do not wish to download all Windows updates, but want to ensure that you are at least protected against Win32/Conficker threats, download and install the patches (KB958644, KB957097 and KB958687) in the following Microsoft Security Bulletins on all the machines on your network:

    NOTE:

    The patches below are not nessary for Windows 7 or Server 2008 r2, as the exploit used by Conficker does not exist on these operating systems. However, Microsoft Windows Server 2008 does require the patches below.


  2. Install and update an ESET security solution on all machines:

  3. Change all passwords on the network as Conficker will be using any passwords it has already logged or attained by brute force.
     
  4. Run the ESET Conficker Removal Tool on each machine:

     
  5. Remove any scheduled tasks that were created by Win32/Conficker by using the following command on the clients:

    at /delete /yes
     

If the above steps do not resolve the issue, reset all passwords and then perform the following steps to identify which machines are still attempting to spread the infection: 

  1. Turn on auditing of failed Logon Events:

    1. On your Domain Controller(s), click StartAdministrative ToolsDomain Control Security Policy.

    2. Navigate to Security SettingsLocal Policies ? Audit PolicyAudit Logon Events.

    3. Ensure that Audit Logon Events is set to record all Success and Failure events.
     
  2. Monitor the Security Event log on your Domain Controller(s) for Event IDs of 529 (if no 529 events are occurring, then Win32/Conficker is using correct administrative passwords - your passwords will therefore need to be changed).
     
  3. When viewing the properties of the event, you will see a "Workstation Name". This is the culprit, or one of the culprits, that is trying to infect other computers.
     
  4. Go to the client(s) identified and repeat steps 1-5 above.


After completing the above steps for Cleaning Steps (Network), all Administrative passwords should be changed again to ensure that Conficker does not have any of these passwords. If Conficker is still showing threats after all machines are patched, then there is either an unpatched machine still remaining or ESET is not installed and updated on a machine.