[KB2209] Conficker – How do I protect myself?

Issue

Your risk of exposure to the Win32/Conficker threat is due to a Microsoft operating system vulnerability (Microsoft released a patch for this vulnerability in October 2008). To help avoid infection caused by Microsoft operating system vulnerabilities make sure your computer (and all computers on your network) is always up to date with the latest Microsoft Windows update. You can find the latest updates at http://update.microsoft.com/.

To protect yourself from Conficker, follow the step-by-step instructions in this article. Or, click the appropriate link below to skip to a specific section: 

Solution

Preventing Infection

A–Download Microsoft security patches
If you do not wish to download all Windows updates but want to ensure that you are at least protected against the Win32/Conficker threats, download and install the patches (KB958644, KB957097 and KB958687) in the following Microsoft Security Bulletins:
B - Disable Autorun and Autoplay (Windows XP and Windows Vista)

You may want to disable the Autorun and Autoplay features in your Windows system to prevent malicious software makers from abusing these security flaws. USB drives and other removable media, which are accessed by the Autorun/Autoplay functionalities each time (by default) you connect them to your computer, are the most frequently used virus carriers these days.

Microsoft Windows Autorun and Autoplay are features that were at first intended to simplify running CD content by automatically:(i) executing the Autorun.inf file (and whatever possible malicious instructions it contains) - Autorun vulnerability(ii) opening a pop-up window with available actions (some of which may be hostile triggers taken over from a malicious Autorun.inf) - Autoplay vulnerability

Some terms might differ

Some terms used in the steps below may slightly differ, depending on your browser.

  1. If you want to disable Autorun and Autoplay right-click this link to download the DisableAutorun.reg file and select Save link as...
     
  2. In the Save As window ensure that:

    (i) the Save As Type drop-down menu is set to All files or Registration Entries (*.reg) (or similar, depending on your browser)

    (ii) the File Name field contains the exact name of the registry file (i.e. DisableAutorun.reg)
     
  3. Click Save. Confirm any prompts to save the registry file.
     
  4. Double-click the saved file and confirm adding the registry entry by clicking Yes. Click OK to finish.
Warning

After importing the downloaded file into your Windows Registry, any Autorun.inf file will be ignored by your system. While this disables the Autorun functionality completely, the Autoplay feature will continue to pop-up, however, it will exclude the potentially dangerous Autorun.inf options. You must keep in mind that these preventive security measures do not eradicate potential malware infections. We recommend strict caution when opening/executing/clicking any unknown files!

Important

The downloaded file must be saved as a .reg extension to work properly. If double-clicking the file does not run bring up the Registry editor dialog window, right-click the file icon, select Properties and edit the filename on the General tab to ensure the last four strings of the filename are .reg. Confirm any prompts to save your changes.

NOTE

We recommend reading the following article for more information about this solution.

B2 - How to re-enable Autorun and Autoplay (Windows XP and Windows Vista)

 

If you need to undo the changes you have made following the instructions in section B (above) right-click this link to download the ReenableAutorun.reg file and repeat the instructions from section B (above) only this time use the ReenableAutorun.reg file.

Important

You will need to restart your computer for the changes to take effect.

NOTE

In addition to downloading and installing the latest security patches, you can take other precautionary measures to reduce the risk of infection. Click here for more strategies to minimize the risk of a malware attack. If you are a network administrator, click here for steps you can take to minimize the rest of an infection on your network.

Cleaning Steps (Single Machine)

If you encounter or have encountered the Win32/Conficker malware, a fully updated version of an ESET product (version 3.0 or later) will clean the infection.
Important

To avoid re-infecting the operating system, it must be properly patched using all links from section A above.

  1. Disconnect the infected computer from the network and the internet.

  2. Use an uninfected PC to download the respective Windows patches from section A above. Install all patches.

  3. Reset your system passwords to admin accounts using more sophisticated ones. Note that the infiltration can spread through shared folders.

    (i.) Press CTRL+ALT+DELETE, and then click Change password...

    (ii.) Type your old password, type your new password, type your new password again to confirm it, and then press ENTER.

  4. Download an one-off ESET application (again, using a non-infected PC) which will remove the worm. If you do not have an ESET product (3.0 or later) installed, you can download (using a non-infected PC) and run our free stand-alone cleaner:

     

  5. Download and Install the latest version of your ESET software.

  6. Update your virus signature database.

To verify that the standalone cleaner removed the Conficker threat, rerun the standalone cleaner and then run a scan with your ESET product.

After successfully running the ESET standalone cleaner, we recommend that you read the following Microsoft article for information about important security patches and recommended group changes:

NOTE

If the ESET standalone cleaner does not fully remove the Conficker threat, the Microsoft article above also contains manual Conficker removal instructions.

For maximum protection against future threats, make sure your operating system is patched according to Microsoft's recommendations and that your ESET product is up to date.

Important

To find further information on protecting yourself against the Conficker worm please refer to our ESET blog entries.

Cleaning Steps (Network)

Use NMap to locate infected machines

If you suspect that a Conficker infection is in place on computers in your network, you can use the free utility NMap to detect infected clients using the following commands:

  • To scan your network: nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [target networks]
     
  • For a quicker scannmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]
     
  • For an in-depth scannmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]
  1. If you do not want to download all Windows updates, but want to ensure that you are at least protected against Win32/Conficker threats, download and install the patches (KB958644, KB957097 and KB958687) in the following Microsoft Security Bulletins on all the machines on your network:
    Patches are not needed for Windows 7 and Server 2008

    The patches below are not necessary for Windows 7 or Server 2008 r2, as the exploit used by Conficker does not exist on these operating systems. However, Microsoft Windows Server 2008 does require the patches below.



  2. Install and update an ESET security solution on all machines:
  3. Change all passwords on the network as Conficker will be using any passwords it has already logged or attained by brute force.
  4. Run the ESET Conficker Removal Tool on each machine:

  5. Remove any scheduled tasks that were created by Win32/Conficker by using the following command on the clients:

    at /delete /yes

If the above steps do not resolve the issue, reset all passwords and then perform the following steps to identify which machines are still attempting to spread the infection: 

  1. Turn on auditing of failed Logon Events:

      1. On your Domain Controllers, click StartAdministrative ToolsDomain Control Security Policy.

      1. Navigate to Security SettingsLocal PoliciesAudit PolicyAudit Logon Events.

      1. Ensure that Audit Logon Events is set to record all Success and Failure events.

  2. Monitor the Security Event log on your Domain Controller(s) for Event IDs of 529 (if no 529 events are occurring, then Win32/Conficker is using correct administrative passwords - your passwords will therefore need to be changed).
     
  3. When viewing the properties of the event, you will see a "Workstation Name". This is the culprit, or one of the culprits, that is trying to infect other computers.
     
  4. Go to the client(s) identified and repeat steps 1-5 above.

After completing the above steps for Cleaning Steps (Network), all Administrative passwords should be changed again to ensure that Conficker does not have any of these passwords. If Conficker is still showing threats after all machines are patched, then there is either an unpatched machine still remaining or ESET is not installed and updated on a machine.

Need Assistance in North America?

If you are a North American ESET customer and need assistance, view product documentation or visit helpus.eset.com to chat with a live technician.