Find and Remove Conficker Virus Efficiently and Free via Network Scan

Published:
So you got the Conficker.

You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some sort of test to pinpoint which machines are infected.

Answer = nmap (http://nmap.org)

I am using the windows version. With the latest version, the Conficker check is included with the rest of the scripts. Fire up nmap, command line (adjust screen buffer to see all results) or the Zenmap GUI, and in the command box or line, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1

For example, to check the 192.168.1.0 network range, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1 192.168.1.1-254

It takes a few minutes, don't worry if the GUI says not responding, it's still working. When complete, you will see some results. Here is what to look for:


Nmap scan report for machine.domain.com (192.168.1.122)
Host is up, received arp-response (0.00013s latency).
Scanned at 2010-04-21 09:29:26 Eastern Daylight Time for 1s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:06:5B:2A:81:72 (Dell Computer)


Host script results:


| smb-check-vulns:  
|   MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_  SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

Don't worry about the "CHECK DISABLED", those are extra checks that could crash a system, that is why we used the "--script-args safe". Look for "Conficker: Likely CLEAN". If it's good, you will see the clean message, if not, you will see the "Conficker: Likely Infected" message.

You will  get some other messages about not being able to check, those are usually network devices or other OS's that couldn't get Conficker anyway. Be sure to check though!

So now you know WHICH machines, WHAT to do about it?

Get the removal tool from here (http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99)

Run the tool, reboot, patch - each OS has different patch. The tool will tell you which one to get, do a Google search on it, download it, install it.

Install Antivirus!
0
5,300 Views

Comments (1)

Author

Commented:
The command lines are a combination of looking for answers when we had the issue. The commands have certain elements that have to be there to work, I assume others would have it, just as other sites use the command sfc /scannow. Also when doing research, different sites had different variations on the command. After trial and error, I found the one that worked. I also went into more detail than other sites on how to actually use it, instead of "run this command".

During our infection, we had the majority of our machines with antivirus which were not affected. The problem came from the rogue PC's. We new we had the Conficker, but not which machines. Previously, our IT staff had to examine each PC and check - painstakingly long and tedious. Also, 1 or 2 machines were always missed (a user had a windows picture frame connected to network, a test VM, etc).

There are "pay for" programs that will scan for you and report, however, the method I used used free software to achieve the same result, saving time and money.

I originally wrote this article on my blog http://eventhisnameistaken.blogspot.com, I discovered that you can post articles here so I did.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community