How to fight network worm Conficker

Symptoms of network infection.

1. Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.

2. Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit

Short description of the Net-Worm.Win32.Kido family.

1. It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)

2. It stores itself in the system as a DLL-file with a random name, for example, c:\windows\system32\zorizr.dll

3. It registers itself in system services with a random name, for example, knqdgsm.

4. It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.

5. It tries to connect to the following sites (we recommend configuring network firewall to monitor connection attempts to these sites):

http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org
http://schemas.xmlsoap.org/soap/envelope/
http://schemas.xmlsoap.org/soap/encoding/

Methods of disinfection.

A special utility KK.exe should be used to remove this worm.

To prevent all workstations and file servers from being infected with the worm, you are recommended to do the following:

• Install the patch from Microsoft that covers the vulnerability MS08-067, MS08-068, MS09-001
• Make sure the password of the local administrator account is not obvious and cannot be hacked easily – the password should contain 6 letters minimum; use a mixture of uppercase and lowercase, numbers and non-alphanumeric characters such as punctuation marks.
• Disable autorun of executable file from removable drives.

The utility KK.exe can be run locally on the infected PC, or remotely with the help of Kaspersky Administration Kit.

To remove the virus locally:

1. Download KK.exe into a folder on the infected PC.

2. Run file KK.exe

When the scan is over an active window of the command prompt may be displayed on your computer monitor, in order to minimize the window press any button. For the window of the command prompt to close automatically it is recommended to run the utility KK.exe with the the parameter –y.

3. Wait till the scanning is complete.

If Agnitum Outpost Firewall is installed on the computer where the utility KK.exe is launched, in this case it is obligatory to restart your PC once the work of the utility is over.

4. Perform full scan of your computer with your Kaspersky Anti-Virus

To remove the virus via Administration Kit:

1. Download the utility KK.exe into a folder.

2. In Administration Kit console create installation package for application KK.exe. In the installation package settings on the Application step select the variant Make installation package for specified executable file.

In the field Executable file command line (optional) define the parameter –y to close the console window automatically once the utility work is over.

3. Create either a global or group task for remote installation of the package to designated computers and run the task.

The utility KK.exe can be run all computers in your network.

Run the task.

4. Once the utility work is over, scan each computer in the network using your Kaspersky Anti-Virus

If Agnitum Outpost Firewall is installed on the computer where the utility KK.exe is launched, in this case it is obligatory to restart your PC once the work of the utility is over.

To get additional information about the utility, run KK.exe with an additional parameter –help.

Switches to manage the utility KK.exe from the command prompt:

For example, in order to scan a flash-drive and to generate and write a detailed report into a file report.txt (which will be created in the setup folder of the utility KK.exe), use the following command:

KKiller.exe -r -y -l report.txt -v