Skip Navigation | ANU Home | Search ANU | Sophos

Conficker worm

Description

The Conficker worm infects Windows computers and spread in one of three ways -- exploiting a known vulnerability allowing remote code execution, through file shares, and by copying itself to removable storage devices. We've seen a number of infected machines on the ANU network.

Protection

There are several things that can be done to lower the risk of infection:

• Ensure the computer is patched, particularly against vulnerability MSB-067
• Ensure the computer is running current Anti-virus protection
• Use strong passwords on file shares
• Be careful sharing removable media such as USB drives

Removal

Sophos have released a conficker cleanup tool for Windows 2000 and higher. [Update: a new version has been released (16/4/2009)]

Instructions for use on standalone computers

On an UNINFECTED computer with network access and the ability to burn a CD or DVD:

1. Download the Cleanup tool and double-click to extract the contents.
2. Open the folder to which you saved the files, right-click the SSCT.vbs file and click Edit to change the configuration as follows:
   • CopyFiles=0
   • Reboot=1
   • PromptBeforeReboot=1
   • AdminCheck=1
3. Write the folder to CD or DVD.

On the INFECTED computer, removed from the network:

1. Insert the CD/DVD, open the CD folder and double click the SSCT.vbs file to start the scan.
2. When the scan completes it will prompt the user to save work before rebooting. When the c.omputer restarts the tool will delete the infected files.
3. Once the reboot is complete remove the CD/DVD. The disk can then be used on other computers.
4. Ensure the computer is now patched and protected with antivirus, as described above.

Removal via Group Policy

Instructions are available for using the script as part of AD Group Policy. Please contact IT.Security@anu.edu.au for details. If computers have been removed from the network please follow directions for standalone computers, as above.