Conficker Removal with MSRT

RockyH — Wed, 14 Jan 2009 03:07:00 GMT

1. Symptoms to help you determine if you are infected

· Account lockout policies are being tripped

· Domain Controllers are being hammered

· Network congestion

· Sluggish Client Behavior

2. Steps to help you recover

Patch and clean – apply MS08-067 and review this info on weak passwords

· Weak Password and Lockout policy info

What you should know about strong passwords: http://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc
http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp

http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp

Password Best Practices:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp

Accounts Passwords and Lockout Policies:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Account Lockout and Management Tools:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx

3. Malware Removal

1. MSRT - The updated MSRT will be live Tuesday 13 January; however you must remember that conficker breaks automatic updates, so we will need to also reference these KBs for manual download information and alternate enterprise deployment steps:

KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

http://support.microsoft.com/kb/890830

KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

http://support.microsoft.com/kb/891716

2. FCS/ OneCare

3. Competitive AV

4. Manual Cleanup - This template supplies the manual cleanup steps and a script. (in a separate post)

See these blog posts for additional resources
http://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B

http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx

http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx

From Source to Secure : Conficker Removal

Conficker Removal with MSRT