Ned's posterous

Right now is the only moment guaranteed to you. Right now is life. Don’t miss it.

Removal - Conficker

Removal - Conficker ...

 

http://www.dshield.org/diary.html?storyid=5860

 

Removal Instructions

Microsoft: http://support.microsoft.com/kb/962007
Kaspersky: http://support.kaspersky.com/faq/
BitDefender: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp

To be able to access Anti-Virus vendors and SANS, Microsoft and others, from an infected Conficker.C machine, TrendMicro suggests to use "net stop dnscache" from the command line.

Sophos: http://www.sophos.com/support/knowledgebase/article/51416.html

Removal Tools

Microsoft MSRT: http://www.microsoft.com/security/malwareremove/default.mspx
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
AhnLab: http://global.ahnlab.com/global/file_removeal_down.jsp?filename=12371830475821&down_filename=v3conficker.zip
Symantec: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
McAfee: http://vil.nai.com/vil/stinger/
ESET: http://download.eset.com/special/EConfickerRemover.exe
BitDefender: http://www.bdtools.net/
Kaspersky: http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip
TrendMicro: https://securecloud.com/support/sysclean
Sophos: https://secure.sophos.com/products/free-tools/conficker-removal-tool-network/download (registration required)

Conficker Remote Scanners

nmap nmap 4.85BETA5 now includes Conficker detection http://insecure.org/
nessus http://www.nessus.org/plugins/index.php?view=single&id=36036
McAfee http://www.mcafee.com/us/enterprise/confickertest.html

Conficker Cabal Information

ShadowServer http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090212 (very good explanation of the importance of this group)
Arbor networks http://asert.arbornetworks.com/2009/02/the-conficker-cabal-announced/
ICANN http://www.icann.org/en/announcements/announcement-2-12feb09-en.htm
Symantec https://forums.symantec.com/t5/Malicious-Code/Coalition-Formed-in-Response-to-W32-Downadup/ba-p/388129

General Information

Microsoft End user/Consumer page
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
IT Security/Professional Page
http://technet.microsoft.com/en-us/security/dd452420.aspx
Centralized information about Conficker
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx
SecureWorks http://www.secureworks.com/research/threats/downadup-removal/

Research (technical)

SRI http://mtc.sri.com/Conficker
MNIN Security Blog http://mnin.blogspot.com/2009/01/downatool-for-downadupbconflickerb.html
This is an awesome tool that generates domains, and ips to scan using the reversed algorithms from conficker.
ThreatExpert Blog http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html
CERT.at http://www.cert.at/static/conficker/TR_Conficker_Detection.pdf
Great paper that covers setting up your local DNS server to mitigate/alert on infections.
Sample zonefiles can be downloaded here: http://www.cert.at/english/downloads/downloads.html
CA Writeup dated 3/11/09
Screenshots of April 1st Trigger
Honeynet Project A useful analysis and supporting tools from the Honeynet project can be found at:
https://www.honeynet.org/files/KYE-Conficker.pdf and
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

 

 

Remove Downadup from infected computers

Downadup (or Conficker) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.

BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.

The new version is more resilient to disinfection. Once the system is compromised, the worm disables Windows Update and blocks access to most of the anti-virus websites in order to hinder the user to disinfect his machine.

BitDefender is the first to offer a free tool which disinfects all versions of Downadup. This domain is the first to serve a removal tool without being blocked by the e-threat.

The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067. After successful exploitation it used to install rogue security software on the infected machine.

Download and run the tools provided below to rid your computer or newtork of this e-threat.

Download Downadup Removal Tool Single PC Removal Tool
Removes Downadup from a single PC


Download Now (.zip - 2.2MB)
Download Downadup Removal Tool for System Administrators Network Removal Tool
Removes Downadup from PCs in a Microsoft Network

Download Now (.exe - 13MB)

-----------