Conficker Removal – Disinfection Tool

Posted on April 10, 2009 by James

Source: ThreatPost/ZDNet

How to fight network worm Conficker

Symptoms of network infection.

1. Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.

2. Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit

Short description of the Net-Worm.Win32.Kido family.

1. It creates files autorun.inf and RECYCLED\{SID<….>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)

2. It stores itself in the system as a DLL-file with a random name, for example, c:\windows\system32\zorizr.dll

3. It registers itself in system services with a random name, for example, knqdgsm.

4. It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.

5. It tries to connect to the following sites (we recommend configuring network firewall to monitor connection attempts to these sites):

http://www.getmyip.org
http://getmyip.co.uk
http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org
http://schemas.xmlsoap.org/soap/envelope/
http://schemas.xmlsoap.org/soap/encoding/
http://schemas.xmlsoap.org/soap/envelope/
http://schemas.xmlsoap.org/soap/encoding/
http://trafficconverter.biz/4vir/antispyware/loadadv.exe
http://trafficconverter.biz
http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz

Methods of disinfection.

A special utility KKiller.exe should be used to remove this worm.

Warning To prevent all workstations and file servers from being infected with the worm, you are recommended to do the following:

    • Make sure the password of the local administrator account is not obvious and cannot be hacked easily – the password should contain 6 letters minimum; use a mixture of uppercase and lowercase, numbers and non-alphanumeric characters such as punctuation marks.
    • Disable autorun of executable file from removable drives.

The utility KKiller.exe can be run locally on the infected PC, or remotely with the help of Kaspersky Administration Kit.

To remove the virus locally:

1. Download the archive KKiller_v3.4.3.zip and extract the contents into a folder on the infected PC.

2. Run file KKiller.exe

Information When the scan is over an active window of the command prompt may be displayed on your computer monitor, in order to minimize the window press any button. For the window of the command prompt to close automatically it is recommended to run the utility KKiller.exe with the the parameter –y.

3. Wait till the scanning is complete.

Warning If Agnitum Outpost Firewall is installed on the computer where the utility KKiller.exe is launched, in this case it is obligatory to restart your PC once the work of the utility is over.

4. Perform full scan of your computer with your Kaspersky Anti-Virus

To remove the virus via Administration Kit:

1. Download the archive with the utility KKiller_v3.4.3.zip and extract contents into a folder.

2. In Administration Kit console create installation package for application KKiller.exe. In the installation package settings on the Application step select the variant Make installation package for specified executable file.

Information In the field Executable file command line (optional) define the parameter –y to close the console window automatically once the utility work is over.

3. Create either a global or group task for remote installation of the package to designated computers and run the task.

Information The utility KKiller.exe can be run all computers in your network.

Run the task.

4. Once the utility work is over, scan each computer in the network using your Kaspersky Anti-Virus

Warning If Agnitum Outpost Firewall is installed on the computer where the utility KKiller.exe is launched, in this case it is obligatory to restart your PC once the work of the utility is over.

To get additional information about the utility, run KKiller.exe with an additional parameter –help.

Switches to manage the utility KKiller.exe from the command prompt:

Switch

Description

-p <Scan path>

scan a defined folder

-f

scan hard disks

-n

scan network disks

-r

scan removable drives

-y

end program without pressing any key

-s

silent mode (without a black window)

-l <file name>

write info into a log

-v

extended log maintenance (the switch -v works only if the -l switch is entered in the command prompt)

-z

restore the services

  • Background Intelligent Transfer Service (BITS),
  • Windows Automatic Update Service (wuauserv),
  • Error Reporting Service (ERSvc/WerSvc

-?

restore display of hidden system files

-a

disable auto start from all drives

-help

show additional information about the utility

-m

Mode to monitor threads, tasks, services

For example, in order to scan a flash-drive and to generate and write a detailed report into a file report.txt (which will be created in the setup folder of the utility KKiller.exe), use the following command:

KKiller.exe -r -y -l report.txt -v

.

.

.

This entry was posted in Security News and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

CAPTCHA Image

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>