Conficker / Kido / Downadup

dune_sandworm

The T&C network remains secure and free of infection, but not everyone is so lucky.

Here are two quick tools that will help you find out if the worm has infiltrated your systems, and help eliminate it if an infection is detected.

DETECTING THE WORM

Found via the diligent folks at the Honeynet Project.  Conficker is very easily detected by the way it handles packets, and a simple Windows python script can scan a series of IP addresses and determine whether or not the machines are infected.  The Windows python script is available here.

Note that you will need to have the Microsoft .NET framework installed in order for the python script to execute correctly.

Download it, unzip it to a temp folder, and run the executable with these parameters via the command prompt:

scs <start-ip> <end-ip> > <ip-list-file>

NOTE: As reader 2Sheds points out in the comments, only include the last bit ( > <ip-list-file> ) if you want the output piped to a text file.  Otherwise, leave it out.

Obviously you will need to know your computer’s LAN IP address and use it as the start and end IPs.  Assuming that your computer’s IP address is 192.168.1.100, the syntax looks like this:

scs 192.168.1.100 192.168.1.100

If all is well and you don’t have Conficker, the return will look like this:

———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-

192.168.1.100 seems to be clean.
Done

If you are infected, the return will indicate this, instead

192.168.1.100 seems to be infected by Conficker

Not too hard to figure out.

REMOVING THE WORM

Use the Microsoft Windows Malicious Software Removal Tool, which, amazingly, actually appears to work in this instance.  (See Microsoft KB 890830 for additional information regarding use.)

Normally you would get the tool via Windows Updates, but the clever Conficker worm denies access to this site and many other anti-virus and security-oriented sites.  Download the Malicious Software Removal Tool directly from the Microsoft Download Center here.  Save the tool to a temp folder.

Run the executable and follow the instructions.  Note that the tool is not anti-virus software and will not remove all manner of infections—just a short, specific list of some of the most prevalent.

Happy surfing.  And hey—let’s be careful out there.

hillstblues_sgt
Category: Web/Tech
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.
5 Responses
  1. 2Sheds says:

    Thanks for the pointer to that detection tool, Chris.
    One small observation…in rushing out the executable in time for the big day, it looks like they’ve left an error in the stated syntax. Instead of:
    scs start-ip end-ip | ip-list-file
    as they’ve included in their “Usage” note, it should probably be:
    scs start-ip end-ip > ip-list-file
    The first command line incorrectly tries to pipe the output of scs into another command. The second command line will redirect the output into a file, which is likely what most people want.
    Or leave off everything after “end-ip”, and the results will appear on screen.

  2. Chris Taylor says:

    Thanks, I have amended the post with that information.

  3. james says:

    Hi,
    Good article. Sophos’ Conficker removal tool can detect and remove all variants of the worm/virus.
    As long as people run these tools it should stop any serious outbreak.
    James

  4. Chris Taylor says:

    That’s a much more compact and easy tool, thanks!

  5. It’s good at least that there was advance warning for the Conficker worm; i’m sure a lot of people were spared a lot of hardship because of this