Hi All,

We’re seeing an increasing trend globally in the number of infections of the Conficker.B worm. The update released today for the MSRT will remove and clean. If you haven’t deployed MS08-067, please ensure you clean and deploy this patch as soon as possible!

Symptoms to help you determine if you are infected with Conficker

- Domain Controllers are being hammered

- Network congestion

- Sluggish client behavior

- If account lockout policy is in use, we may see some domain accounts keep locking out

- If account lockout policy is not in use, we may see the LSASS.EXE process high CPU on the domain controller (DC)

- On the infected clients, we may see the following services are disabled:

Windows Update Service
Background Intelligent Transfer Service
Windows Defender
Windows Error Reporting Services

- Users may not be able to access Microsoft website or some other antivirus software vendor’s websites from the infected clients.

- Previous saved system restore points may have been removed

How to verify if my computer is infected by Conficker.B?

- If there are recent account lockout incidents in your company environment, you should pay attentions to this worm.

- If the system is infected by Conficker.B, the virus will add a random service name to the bottom line of the netsvcs value.

We can also check the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

Steps to help you recover

Patch and clean – on all the clients and servers and review the following information on weak passwords

· Weak Password and Lockout policy information

· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx

- Keep the antivirus software up to date and then scan the systems

- Change user passwords on infected machines  Also apply strong password policy in the domain

- Pay attention to USB drives and mapped network drives, perform full antivirus scan on those drives if possible.

- On the firewall or proxy server, block any URL requests contain a string “search?q=%d”

- Set the Automatic Updates service and Background Intelligent Transfer Service service to Automatic in domain group policy

Malware Removal

1.  The updated MSRT is now live; however you must remember that conficker breaks automatic updates, so these references will be useful should you need to undertake a  manual download.

KB890830 - The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

KB891716 -  Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

2. Forefront Client Security / OneCare

3. Alternative Antivirus Product from other vendors

4. Manual Cleanup - This template supplies the manual cleanup steps and a script

See these blog posts for additional resources

http://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B

http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx

http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx

Nick.