The conficker.X is a nasty little worm. I will not go into the details of what it does. You can read more about it here.
Here are some steps you can take to clean your network from this worm once infected.
- First thing to do is protect your servers & workstations with AntiVirus Software if they are not already.
- Setup wireshark on the network(s) you know to be infected on a switch with port mirroring. Use the following Capture filter tcp port 445 this will only capture SMB traffic. Next apply the following display filter smb.cmd == 0xa2 and smb.file contains "\\System32\\". This filter basically only displays failed attempts to map share. Succesful hits will look like this:
- Scan the infected network with a Conficker Network Scanner. I used this one scs2.exe simple conficker scanner. McAfee also makes a tool to scan a network and detect the worm.
- DO NOT Login to an infected PC with Domain Admin rights. Login locally if at all possible.
- The following MS Patch should also be applied to infected PC's or Servers. KB958644
- Running the latest Microsoft Windows Malicious Software Removal tool will clean the system. Keep in mind this will only clean the system but NOT protect it from getting infected again. You will need to install AntiVirus Software.
If you find your network infected by this worm I hope this information helps you out.
