Conficker has affected millions of machines from around the world. See Three million hit by Windows worm. It has since affected over 9 millions machines and growing.
To remove Conficker from your network, first download Microsoft Patch here. (KB958644). Conficker will attack machines which do not have this patch installed. You can use a script to push out the update – click here. Or you could push out via WSUS. If you don’t have a WSUS server it’s worth installing one. Carry out tests on a few machines before rolling out to all machines on a network.
Stop the virus from spreading, by clicking here. The link will help you disable auto run and reduce permissions on scheduled tasks. Conficker will also create scheduled tasks and use them to spread. You may find that lots exist on your machines. Such as AT1, AT2, AT3 and if you check the properties of each one you will find that they point to files such as hjskja.dll xldddd.dll and other wierdly named file names. You could use a script to remove such tasks from your machines. See Delete scheduled task via script
Make sure you don’t have any easy to guess usernames and passwords on your network.
Ensure all your machines have AV installed. If you use Sophos AntiVirus and wish to automate the deployment of Sophos AntiVirus see Deploy Sophos AntiVirus via script (Check machines with AV installed are up dating and reporting no errors.
Run scans on your server and ensure that they are patched with the latest Windows Security and critical updates.
If you rely on system restore on your machines, Conficker will also remove restore points on the machines it infects. To disable system restore via group policy see Disable System Restore via Group Policy
F-Secure have created a list of blacklisted domains which the virus uses which you may want to block – click here
Once you have locked down your network, download the Sophos Removal tool and deploy via group policy – See Sophos Removal Tool (This tool can also be used on non Sophos AV machines)
The standalone version of the Sophos Removal Tool for Conficker can be found at Stand alone Conficker Removal Tool (This tool can also be used on non Sophos AV machines)
Finally deploy http://support.microsoft.com/kb/891716
Note: Test before applying to a live enviroment
It’s not a easy process and will take time before it’s totally removed.
Some useful links below:
Thanks for sharing
The script works great with group policy
Great tool and thanks for posting
Keep up the good work
The script is a treat. Thanks to you for sharing and thanks to Sophos for creating a great script. I love it.
Thanks for taking the time to post such useful information.
We use a tool from bit defender, actually we use a kaseya script that uses this bit defender executable as the mechanism to remove conficker, it works well. Also before removing it you want to make sure you understand how it was spreading which will either be from
1.) Bad security policies, make sure you don’t have any easy to guess usernames and passwords on your workstation(look for both domain and local user).
2.) As suggested make sure your workstations are patched to a certain level.
3.) Make sure you don’t have any bad usb sticks or other such removable media floating around that could infect machines.
If you don’t have steps 1 or 2 covered the virus will go through your network, large or small, very quickly.
This is a brilliant and comprehensive guide. Greatly Appreciated.