<

Find and Remove Conficker Virus Efficiently and Free via Network Scan

Published on
10,800 Points
4,800 Views
Last Modified:
Approved
So you got the Conficker.

You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some sort of test to pinpoint which machines are infected.

Answer = nmap (http://nmap.org)

I am using the windows version. With the latest version, the Conficker check is included with the rest of the scripts. Fire up nmap, command line (adjust screen buffer to see all results) or the Zenmap GUI, and in the command box or line, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1

For example, to check the 192.168.1.0 network range, type:

nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1 192.168.1.1-254

It takes a few minutes, don't worry if the GUI says not responding, it's still working. When complete, you will see some results. Here is what to look for:


Nmap scan report for machine.domain.com (192.168.1.122)
Host is up, received arp-response (0.00013s latency).
Scanned at 2010-04-21 09:29:26 Eastern Daylight Time for 1s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:06:5B:2A:81:72 (Dell Computer)


Host script results:


| smb-check-vulns:  
|   MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_  SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

Don't worry about the "CHECK DISABLED", those are extra checks that could crash a system, that is why we used the "--script-args safe". Look for "Conficker: Likely CLEAN". If it's good, you will see the clean message, if not, you will see the "Conficker: Likely Infected" message.

You will  get some other messages about not being able to check, those are usually network devices or other OS's that couldn't get Conficker anyway. Be sure to check though!

So now you know WHICH machines, WHAT to do about it?

Get the removal tool from here (http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99)

Run the tool, reboot, patch - each OS has different patch. The tool will tell you which one to get, do a Google search on it, download it, install it.

Install Antivirus!
0
Comment
Author:ZTrek7
1 Comment
LVL 5

Author Comment

by:ZTrek7
The command lines are a combination of looking for answers when we had the issue. The commands have certain elements that have to be there to work, I assume others would have it, just as other sites use the command sfc /scannow. Also when doing research, different sites had different variations on the command. After trial and error, I found the one that worked. I also went into more detail than other sites on how to actually use it, instead of "run this command".

During our infection, we had the majority of our machines with antivirus which were not affected. The problem came from the rogue PC's. We new we had the Conficker, but not which machines. Previously, our IT staff had to examine each PC and check - painstakingly long and tedious. Also, 1 or 2 machines were always missed (a user had a windows picture frame connected to network, a test VM, etc).

There are "pay for" programs that will scan for you and report, however, the method I used used free software to achieve the same result, saving time and money.

I originally wrote this article on my blog http://eventhisnameistaken.blogspot.com, I discovered that you can post articles here so I did.
0

Featured Post

Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month