Browse All Articles
> Find and Remove Conficker Virus Efficiently and Free via Network Scan
So you got the Conficker.
You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
), but in a bigger environment, or if you prefer to work smarter and not harder, you need some sort of test to pinpoint which machines are infected.
Answer = nmap (http://nmap.org
I am using the windows version. With the latest version, the Conficker check is included with the rest of the scripts. Fire up nmap, command line (adjust screen buffer to see all results) or the Zenmap GUI, and in the command box or line, type:
nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1
For example, to check the 192.168.1.0 network range, type:
nmap -p 445 -d --script smb-check-vulns.nse --script-args safe=1 192.168.1.1-254
It takes a few minutes, don't worry if the GUI says not responding, it's still working. When complete, you will see some results. Here is what to look for:
Nmap scan report for machine.domain.com (192.168.1.122)
Host is up, received arp-response (0.00013s latency).
Scanned at 2010-04-21 09:29:26 Eastern Daylight Time for 1s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: 00:06:5B:2A:81:72 (Dell Computer)
Host script results:
| MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_ SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
Don't worry about the "CHECK DISABLED", those are extra checks that could crash a system, that is why we used the "--script-args safe". Look for "Conficker: Likely CLEAN". If it's good, you will see the clean message, if not, you will see the "Conficker: Likely Infected" message.
You will get some other messages about not being able to check, those are usually network devices or other OS's that couldn't get Conficker anyway. Be sure to check though!
So now you know WHICH machines, WHAT to do about it?
Get the removal tool from here (http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
Run the tool, reboot, patch - each OS has different patch. The tool will tell you which one to get, do a Google search on it, download it, install it.