How to Stop and Remove Conficker

What is Conficker?

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008. The worm propagated through the Internet by exploiting a vulnerability in the network stack of Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta.

The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

How to Check if you are Infected by Conficker?

Conficker.B and Conficker.C infections can be detected simply by surfing a web-page.

Conficker.A infections cannot be detected this way. Click here to check your system (for Conficker.B or Conficker.C) infection.

How to Remove Conficker?

Below are removal instruction and tools on how to remove conficker.

Removal Instructions

Microsoft: http://support.microsoft.com/kb/962007
Kaspersky: http://support.kaspersky.com/faq/?qid=208279973
BitDefender: http://www.bitdefender.com/VIRUS-1000462-en–Win32.Worm
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/

Removal Tools

Microsoft MSRT – http://www.microsoft.com/security/malwareremove/default.mspx
F-Secure – ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
Symantec – http://www.symantec.com/business/security_response/
McAfee – http://vil.nai.com/vil/stinger/
ESET – http://download.eset.com/special/EConfickerRemover.exe
BitDefender – http://www.bdtools.net/
Kaspersky – http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip
TrendMicro – http://www.trendmicro.com/download/dcs.asp
Sunbelt – http://www.sunbeltsecurity.com/DownLoads.aspx

Conficker Remote Scanners

nmap - (nmap 4.85BETA5 now includes Conficker detection) http://insecure.org/
nessus – http://www.nessus.org/plugins/index.php?view=single&id=36036
eEye – http://www.eeye.com/html/downloads/other/ConfickerScanner.html

Conficker Memory Disinfector

It is hard to identify files containing Conficker, because the executables are packed and encrypted. When Conficker runs in memory, it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.

The tool itself and the source code can be downloaded here:

conficker_mem_killer.exe – 594 K
memscan.zip – 8.4 K

Detecting Conficker Files and Registry

Despite other reports, the file names and registry keys Conficker.B and Conficker.C use are not random. They are calculated on the basis of the hostname. We have developed a tool that you can run on your system to check for Conficker’s Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.

It is at a very early development stage, but usable. We would be grateful to benefit from your changes if you develop it further.

Tool and source code are here:

regnfile.exe – 599 K
conficker_names.zip

Nonficker Vaccination Tool

Conficker uses different global and local mutexes to ensure that only the most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.

We have developed our Nonficker Vaccination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.

Removal instructions:

Open your favorite registry editor (e.g. Start->Run…->regedit.exe->ok)
Go to registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost
Remove the “aaaaanonficker” from the “netsvcs” key
Remove registry key and all sibling keys: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesaaaaanonficker

Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.

Both tools and source code can be downloaded here:

nonficker.zip – 547 K
nonflicker_code.zip – 64 K

More information on using Network Scanner and Intrusion Detection Signatures. (via Universitat Bonn)

Enjoyed this Posts?

Stay informed. Subscribe to our RSS Feed, Follow us on Twitter, or help us spread it to the world share it to your friends and peers.

godfrey dionela

meg nice2x bakod kagid ya more power!!!!!! thanks sa link lempyo na server ko... hehehe contact taka meg dason may mapahimo d website....

share flag

spam
offensive
disagree
off topic

Kent

@godfrey,:) glad it helps...thanks for the compliment and more power man saimo ah :D

sanjay

Hi,, its really good link. my server is full by conficker.i m trying all link by one by one. hopefully i know these are working>>>Thanks for this.

zplits

Hi, thanks for the visit. Yeah, you can try the steps here. Hope it helps. cheers!

KENN

Hi Nice guide for the conficker virus on how to remove it, thanks and I will tell my colleagues about this site. :-)

Hi KENN,Glad to hear that you're helping me promote my site to your colleagues. Thank you very much for that. Hope you find interesting stuffs here. :)

Chanaka

Your post is better than mine. This post contain every thing you should know about conficker. I'm going to put a link from my blog to this post.

James

Hi,Good article. I found Sophos' Conficker removal tool to be the best although i ran a few of them just to make sure.As long as people run these tools it should stop any serious outbreak.James

Hi, thanks for the compliment. Glad to know that it has helped you in anyway.

hyperjadulz

nice tips,thanks for sharing

Sure. My pleasure