Conficker / Kido / Downadup


The T&C network remains secure and free of infection, but not everyone is so lucky.

Here are two quick tools that will help you find out if the worm has infiltrated your systems, and help eliminate it if an infection is detected.


Found via the diligent folks at the Honeynet Project.  Conficker is very easily detected by the way it handles packets, and a simple Windows python script can scan a series of IP addresses and determine whether or not the machines are infected.  The Windows python script is available here.

Note that you will need to have the Microsoft .NET framework installed in order for the python script to execute correctly.

Download it, unzip it to a temp folder, and run the executable with these parameters via the command prompt:

scs <start-ip> <end-ip> > <ip-list-file>

NOTE: As reader 2Sheds points out in the comments, only include the last bit ( > <ip-list-file> ) if you want the output piped to a text file.  Otherwise, leave it out.

Obviously you will need to know your computer’s LAN IP address and use it as the start and end IPs.  Assuming that your computer’s IP address is, the syntax looks like this:


If all is well and you don’t have Conficker, the return will look like this:

Simple Conficker Scanner
scans selected network ranges for
conficker infections
Felix Leder, Tillmann Werner 2009
{leder, werner}
———————————- seems to be clean.

If you are infected, the return will indicate this, instead seems to be infected by Conficker

Not too hard to figure out.


Use the Microsoft Windows Malicious Software Removal Tool, which, amazingly, actually appears to work in this instance.  (See Microsoft KB 890830 for additional information regarding use.)

Normally you would get the tool via Windows Updates, but the clever Conficker worm denies access to this site and many other anti-virus and security-oriented sites.  Download the Malicious Software Removal Tool directly from the Microsoft Download Center here.  Save the tool to a temp folder.

Run the executable and follow the instructions.  Note that the tool is not anti-virus software and will not remove all manner of infections—just a short, specific list of some of the most prevalent.

Happy surfing.  And hey—let’s be careful out there.

Category: Web/Tech
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.
5 Responses
  1. 2Sheds says:

    Thanks for the pointer to that detection tool, Chris.
    One small observation…in rushing out the executable in time for the big day, it looks like they’ve left an error in the stated syntax. Instead of:
    scs start-ip end-ip | ip-list-file
    as they’ve included in their “Usage” note, it should probably be:
    scs start-ip end-ip > ip-list-file
    The first command line incorrectly tries to pipe the output of scs into another command. The second command line will redirect the output into a file, which is likely what most people want.
    Or leave off everything after “end-ip”, and the results will appear on screen.

  2. Chris Taylor says:

    Thanks, I have amended the post with that information.

  3. james says:

    Good article. Sophos’ Conficker removal tool can detect and remove all variants of the worm/virus.
    As long as people run these tools it should stop any serious outbreak.

  4. Chris Taylor says:

    That’s a much more compact and easy tool, thanks!

  5. It’s good at least that there was advance warning for the Conficker worm; i’m sure a lot of people were spared a lot of hardship because of this