Wednesday, April 1, 2009

Uninstalling the W32.Conficker.worm

Uninstalling the Conficker virus a.k.k. 'W32.Conficker.worm'

If you followed the previous article on removing the conficker virus (here) there are some additional tools and utilities to help you uninstall, scan, and clean this nasty botnet based virus from your computer.

Conficker in brief does the following:
- attempts to infect other computers on the network by exploiting MS08-067. This method will give the worm a foothold in environments that have not completed their roll out of this security update on all their Windows computers.

- attempts to copy itself to the ADMIN$ share of the target machine, which is the Windows folder by default. First it tries using the credentials of the currently logged on user. It obtains a list of user accounts on the target machine and attempts to connect using each user name and a list of weak passwords (examples: ‘1234’, ‘password’, or ‘student’). If one of these combinations work and that account has write permissions, it copies itself to the ADMIN$ folder.

- copies itself to removable media such as USB drives and other portable storage. It adds an INF file so that when the removable media is used, the AutoPlay dialog will show one additional option.

- makes several configuration changes so that it runs every time Windows starts.
- it adds itself as a service and also adds a registry value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
- terminates various services which should be re-enabled and more information is available here.

Worm:Win32/Conficker.B attempts to terminate any process which has a name which seems to indicate that it is an antivirus program or other security software.
It also blocks access to the web sites of many antivirus and security vendors and to Windows Update.
This worm takes some additional steps and our encyclopedia entry includes more details.

Fsecure has a scanner utility

Symantec has one here

Microsoft has a patch to download to fix the vulnerability that started it all.
Microsoft also hase some additional tools and utilities;

Malicious Software Removal tool

Conficker worm - F-Secure free removal tools

Mcafee's stinger (very good utility)