Issue
Your risk of exposure to the Win32/Conficker threat is due to a Microsoft operating system vulnerability (Microsoft released a patch for this vulnerability in October 2008). To help avoid infection caused by Microsoft operating system vulnerabilities make sure your computer (and all computers on your network) is always up to date with the latest Microsoft Windows update. You can find the latest updates at http://update.microsoft.com/.
To protect yourself from Conficker, follow the step-by-step instructions in this article. Or, click the appropriate link below to skip to a specific section:
Solution
Preventing Infection
A–Download Microsoft security patches
B - Disable Autorun and Autoplay (Windows XP and Windows Vista)
You may want to disable the Autorun and Autoplay features in your Windows system to prevent malicious software makers from abusing these security flaws. USB drives and other removable media, which are accessed by the Autorun/Autoplay functionalities each time (by default) you connect them to your computer, are the most frequently used virus carriers these days.
Microsoft Windows Autorun and Autoplay are features that were at first intended to simplify running CD content by automatically:(i) executing the Autorun.inf file (and whatever possible malicious instructions it contains) - Autorun vulnerability(ii) opening a pop-up window with available actions (some of which may be hostile triggers taken over from a malicious Autorun.inf) - Autoplay vulnerability
- If you want to disable Autorun and Autoplay right-click this link to download the DisableAutorun.reg file and select Save link as...
- In the Save As window ensure that:
(i) the Save As Type drop-down menu is set to All files or Registration Entries (*.reg) (or similar, depending on your browser)
(ii) the File Name field contains the exact name of the registry file (i.e. DisableAutorun.reg)
- Click Save. Confirm any prompts to save the registry file.
- Double-click the saved file and confirm adding the registry entry by clicking Yes. Click OK to finish.
B2 - How to re-enable Autorun and Autoplay (Windows XP and Windows Vista)
If you need to undo the changes you have made following the instructions in section B (above) right-click this link to download the ReenableAutorun.reg file and repeat the instructions from section B (above) only this time use the ReenableAutorun.reg file.
Cleaning Steps (Single Machine)
-
Disconnect the infected computer from the network and the internet.
-
Use an uninfected PC to download the respective Windows patches from section A above. Install all patches.
-
Reset your system passwords to admin accounts using more sophisticated ones. Note that the infiltration can spread through shared folders.
(i.) Press CTRL+ALT+DELETE, and then click Change password...
(ii.) Type your old password, type your new password, type your new password again to confirm it, and then press ENTER.
-
Download an one-off ESET application (again, using a non-infected PC) which will remove the worm. If you do not have an ESET product (3.0 or later) installed, you can download (using a non-infected PC) and run our free stand-alone cleaner:
-
Download and Install the latest version of your ESET software.
To verify that the standalone cleaner removed the Conficker threat, rerun the standalone cleaner and then run a scan with your ESET product.
After successfully running the ESET standalone cleaner, we recommend that you read the following Microsoft article for information about important security patches and recommended group changes:
For maximum protection against future threats, make sure your operating system is patched according to Microsoft's recommendations and that your ESET product is up to date.
Cleaning Steps (Network)
- If you do not want to download all Windows updates, but want to ensure that you are at least protected against Win32/Conficker threats, download and install the patches (KB958644, KB957097 and KB958687) in the following Microsoft Security Bulletins on all the machines on your network:
- Install and update an ESET security solution on all machines:
- Change all passwords on the network as Conficker will be using any passwords it has already logged or attained by brute force.
-
Run the ESET Conficker Removal Tool on each machine:
- Remove any scheduled tasks that were created by Win32/Conficker by using the following command on the clients:
at /delete /yes
If the above steps do not resolve the issue, reset all passwords and then perform the following steps to identify which machines are still attempting to spread the infection:
-
Turn on auditing of failed Logon Events:
-
On your Domain Controllers, click Start → Administrative Tools → Domain Control Security Policy.
-
Navigate to Security Settings → Local Policies → Audit Policy → Audit Logon Events.
-
-
Ensure that Audit Logon Events is set to record all Success and Failure events.
-
-
- Monitor the Security Event log on your Domain Controller(s) for Event IDs of 529 (if no 529 events are occurring, then Win32/Conficker is using correct administrative passwords - your passwords will therefore need to be changed).
- When viewing the properties of the event, you will see a "Workstation Name". This is the culprit, or one of the culprits, that is trying to infect other computers.
- Go to the client(s) identified and repeat steps 1-5 above.
After completing the above steps for Cleaning Steps (Network), all Administrative passwords should be changed again to ensure that Conficker does not have any of these passwords. If Conficker is still showing threats after all machines are patched, then there is either an unpatched machine still remaining or ESET is not installed and updated on a machine.
