View RSS Feed

100 Grades Per Minute

How to remove Conficker (AKA Downadup and Kido)

Rate this Entry
, 2nd December 2009 at 07:34 PM (4387 Views)
Following on from my post earlier, I am publishing a quick guide to removing this nasty virus. Hopefully it will let you clear it from your network a bit quicker then we have.

First of all, you need to shut your network down. This is important because Conficker spreads from computer to computer regardless of them being patched against it. We found lots of systems that were patched but still infected after the virus propagated over the network, only a few systems that didnít belong to the domain and were set-up strangely were completely unaffected.

Next you need to run a virus scan on all computers and memory sticks, even unaffected ones. If possible, ensure the Task Scheduler service is stopped. While you go computer to computer, it is worth checking they are all patched against the virus. If Conficker is detected, restart the machine and run another scan.

Check the following locations

  • Scheduled Tasks for a task (or many tasks) called AT and a number after the name pointing to a randomly named file in C:\Windows\SYSTEM32. Also remember to check the file it is pointing to is gone. If a task cannot be deleted, right click it to choose properties and in the Security tab, grant full Control to Administrators.
  • Open the Registry Editor (Windows Key+R -> type Regedit in the Run window) and find HK_LOCAL_MACHINE\Software\Microsoft\Windows\Curren tVersion\Run and look for a registry entry pointing to the randomly named file detected earlier. Delete it if it exists.
    Scan the machine again if any of these are found.

When every computer in the school is scanned and you are confident they are patched, protected by antivirus and free of the virus, bring the network up slowly. Keep machines disconnected and gradually bring them online. It helps if you have some central monitoring software, like the Enterprise Console in Sophos, to keep an eye the entire network on as computers come back up.

If a machine doesnít have antivirus, you can obtain a tool to remove Conficker here but get Antivirus installed as soon as possible when the machine is cleared of infection. The patch for Windows XP to close the vulnerability used by the virus can be found here.

Be warned that the virus is highly infectious and you must monitor the network closely over the coming weeks to ensure no re-infection occurs. All it will take is one infected system lacking the right updates and antivirus software.
Work , Technical



Total Trackbacks 0
Trackback URL: