Find and Remove Conficker Virus Efficiently and Free via Network Scan

Published on
11,200 Points
Last Modified:
So you got the Conficker.

You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some sort of test to pinpoint which machines are infected.

Answer = nmap (http://nmap.org)

I am using the windows version. With the latest version, the Conficker check is included with the rest of the scripts. Fire up nmap, command line (adjust screen buffer to see all results) or the Zenmap GUI, and in the command box or line, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1

For example, to check the network range, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1

It takes a few minutes, don't worry if the GUI says not responding, it's still working. When complete, you will see some results. Here is what to look for:

Nmap scan report for machine.domain.com (
Host is up, received arp-response (0.00013s latency).
Scanned at 2010-04-21 09:29:26 Eastern Daylight Time for 1s
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:06:5B:2A:81:72 (Dell Computer)

Host script results:

| smb-check-vulns:  
|   MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_  SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

Don't worry about the "CHECK DISABLED", those are extra checks that could crash a system, that is why we used the "--script-args safe". Look for "Conficker: Likely CLEAN". If it's good, you will see the clean message, if not, you will see the "Conficker: Likely Infected" message.

You will  get some other messages about not being able to check, those are usually network devices or other OS's that couldn't get Conficker anyway. Be sure to check though!

So now you know WHICH machines, WHAT to do about it?

Get the removal tool from here (http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99)

Run the tool, reboot, patch - each OS has different patch. The tool will tell you which one to get, do a Google search on it, download it, install it.

Install Antivirus!
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free