Remove Conficker from network

Reading Time: 2 minutes

Conficker has affected millions of machines from around the world. See Three million hit by Windows worm. It has since affected over 9 millions machines and growing.

To remove Conficker from your network, first download Microsoft Patch here. (KB958644). Conficker will attack machines which do not have this patch installed. You can use a script to push out the update – click here. Or you could push out via WSUS. If you don’t have a WSUS server it’s worth installing one. Carry out tests on a few machines before rolling out to all machines on a network.

Stop the virus from spreading, by clicking here. The link will help you disable auto run and reduce permissions on scheduled tasks. Conficker will also create scheduled tasks and use them to spread. You may find that lots exist on your machines. Such as AT1, AT2, AT3 and if you check the properties of each one you will find that they point to files such as hjskja.dll xldddd.dll and other wierdly named file names. You could use a script to remove such tasks from your machines. See Delete scheduled task via script

Make sure you don’t have any easy to guess usernames and passwords on your network.

Ensure all your machines have AV installed. If you use Sophos AntiVirus and wish to automate the deployment of Sophos AntiVirus see Deploy Sophos AntiVirus via script  (Check machines with AV installed are up dating and reporting no errors.

Run scans on your server and ensure that they are patched with the latest Windows Security and critical updates.

If you rely on system restore on your machines, Conficker will also remove restore points on the machines it infects. To disable system restore via group policy see Disable System Restore via Group Policy

F-Secure have created a list of blacklisted domains which the virus uses which you may want to block – click here

Once you have locked down your network, download the Sophos Removal tool and deploy via group policy – See Sophos Removal Tool (This tool can also be used on non Sophos AV machines)

The standalone version of the Sophos Removal Tool for Conficker can be found at Stand alone Conficker Removal Tool (This tool can also be used on non Sophos AV machines)

Finally deploy http://support.microsoft.com/kb/891716

Note: Test before applying to a live enviroment

It’s not a easy process and will take time before it’s totally removed.

Some useful links below:

McAfee
MSDN