Browse All Articles > Find and Remove Conficker Virus Efficiently and Free via Network Scan
So you got the Conficker.
You could go to each machine and run the eye chart test ( http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some sort of test to pinpoint which machines are infected.
Answer = nmap ( http://nmap.org)
I am using the windows version. With the latest version, the Conficker check is included with the rest of the scripts. Fire up nmap, command line (adjust screen buffer to see all results) or the Zenmap GUI, and in the command box or line, type:
nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1
For example, to check the 192.168.1.0 network range, type:
nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1 192.168.1.1-254
It takes a few minutes, don't worry if the GUI says not responding, it's still working. When complete, you will see some results. Here is what to look for:
Nmap scan report for machine.domain.com (192.168.1.122)
Host is up, received arp-response (0.00013s latency).
Scanned at 2010-04-21 09:29:26 Eastern Daylight Time for 1s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: 00:06:5B:2A:81:72 (Dell Computer)
Host script results:
| smb-check-vulns:
| MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_ SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
Don't worry about the "CHECK DISABLED", those are extra checks that could crash a system, that is why we used the "--script-args safe". Look for "Conficker: Likely CLEAN". If it's good, you will see the clean message, if not, you will see the "Conficker: Likely Infected" message.
You will get some other messages about not being able to check, those are usually network devices or other OS's that couldn't get Conficker anyway. Be sure to check though!
So now you know WHICH machines, WHAT to do about it?
Get the removal tool from here ( http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99)
Run the tool, reboot, patch - each OS has different patch. The tool will tell you which one to get, do a Google search on it, download it, install it.
Install Antivirus!
You could go to each machine and run the eye chart test ( http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some sort of test to pinpoint which machines are infected.
Answer = nmap ( http://nmap.org)
I am using the windows version. With the latest version, the Conficker check is included with the rest of the scripts. Fire up nmap, command line (adjust screen buffer to see all results) or the Zenmap GUI, and in the command box or line, type:
nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1
For example, to check the 192.168.1.0 network range, type:
nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1 192.168.1.1-254
It takes a few minutes, don't worry if the GUI says not responding, it's still working. When complete, you will see some results. Here is what to look for:
Nmap scan report for machine.domain.com (192.168.1.122)
Host is up, received arp-response (0.00013s latency).
Scanned at 2010-04-21 09:29:26 Eastern Daylight Time for 1s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: 00:06:5B:2A:81:72 (Dell Computer)
Host script results:
| smb-check-vulns:
| MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_ SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
Don't worry about the "CHECK DISABLED", those are extra checks that could crash a system, that is why we used the "--script-args safe". Look for "Conficker: Likely CLEAN". If it's good, you will see the clean message, if not, you will see the "Conficker: Likely Infected" message.
You will get some other messages about not being able to check, those are usually network devices or other OS's that couldn't get Conficker anyway. Be sure to check though!
So now you know WHICH machines, WHAT to do about it?
Get the removal tool from here ( http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99)
Run the tool, reboot, patch - each OS has different patch. The tool will tell you which one to get, do a Google search on it, download it, install it.
Install Antivirus!
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (1)
Author
Commented:During our infection, we had the majority of our machines with antivirus which were not affected. The problem came from the rogue PC's. We new we had the Conficker, but not which machines. Previously, our IT staff had to examine each PC and check - painstakingly long and tedious. Also, 1 or 2 machines were always missed (a user had a windows picture frame connected to network, a test VM, etc).
There are "pay for" programs that will scan for you and report, however, the method I used used free software to achieve the same result, saving time and money.
I originally wrote this article on my blog http://eventhisnameistaken.blogspot.com, I discovered that you can post articles here so I did.