Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Conficker Revisited

Created: 05 May 2009 • 6 comments
carubin's picture
+2 2 Votes
Login to vote

Today one of our sites overseas was hit by the confickr Trojan. This was unforturante considering that we had been preparing for this for months and felt that we had things under control. The site admins had not followed our advice and were thus treated to a very unpleasant Monday.

Fortunately, we had already put together a doomsday kit which I ftp'ed them as soon as I got to work and got the alert as to their problem.

The kit consisted of 4 parts:

1. The latest Symantec virus definitions in a self extracting, self installing format
2. The executable for MS08-067
3. The Microsoft Malicious Software Removal Tool from February 2009
4. A reg hack to disable the autorun.inf function (a documented Confickr attack vector)

At our shop we burned a bunch of CDs for this just in case we couldn't deliver this with NS or DS. Thank goodness we haven't had to use it.

Comments 6 CommentsJump to latest comment

Tejas Shah's picture

Can you get the the script to disable Autorum (autorun.inf )

Login to vote
wilson etorma's picture

i tried it to one of our clients a few weeks back, its very useful. I suggest this steps above and i know it will work on their environment as well... Thank you

Login to vote
Nel Ramos's picture

Good preparation.
at least you have a backup if the admins would not follow your suggestions.
I like the way you treat the issue.

like what tejas said.
may we request for the script to disable autorun.inf.
many thanks.

Nel Ramos

Login to vote
shaun_b's picture

Nice script. We've been doing similiar methodologies with some of our clients. We also combine some GPO scripts (where applicable) do disable autorun and also to delete the remnants of the autorun jobs that conficker creates. I've also found through numerous trial and error scenarios, that the MSRT package seems to do the best job of completely removing most of the remnants and traces of conficker.

Login to vote's picture

can you please elaborate more on MSRT package,

Thanks in advance . . .

Login to vote
shaun_b's picture

from microsoft:

Login to vote