Comments on: Step by Step In Dealing With Conficker

By: jvortega

jvortega — Tue, 31 Mar 2009 19:42:24 +0000

Scan the network for Conficker. http://blog.sekiur.com/2009/03/conficker-gets-rea...
http://www.dshield.org/diary.html?storyid=6097 & http://honeynet.org/node/388

By: jvortega

jvortega — Fri, 27 Mar 2009 07:20:14 +0000

That's an excellent question. Variant C does a much better job at preventing security products from removing it, thus further testing is required.
"Like Conficker B, C incorporates logic to defend itself from security products that would otherwise attempt to detect and remove it. C spawns a security product disablement thread. This thread disables critical host security services, such as Windows defender, as well as Windows services that deliver security patches and software updates. These changes effectively prevent the victim host from receiving automated software updates. The thread disables security update notifications and deactivates safeboot mode as a future reboot option. This first thread then spawns a new security process termination thread, which continually monitors for and kills processes whose names match a blacklisted set of 23 security products, hot fixes, and security diagnosis tools……" http://mtc.sri.com/Conficker/addendumC/

By: Jessie

Jessie — Tue, 24 Mar 2009 07:59:19 +0000

This scripts can remove which variants of Conficker? Including Conficker.C?

By: josh

josh — Tue, 24 Feb 2009 18:24:27 +0000

really nice script.. too bad i found it AFTER i created my own

By: jvortega

jvortega — Fri, 13 Feb 2009 00:13:36 +0000

Thanks. I appreciate your input very much.

By: GovernmentSecurity

GovernmentSecurity — Thu, 12 Feb 2009 22:59:08 +0000

Great article and some very nice detailed instructions. Promoted to our frontpage.

By: Peter Dugar

Peter Dugar — Thu, 05 Feb 2009 05:16:46 +0000

Is there any way to scan a network for the worm.