Virus alert about the Win32/Conficker worm

• Account lockout policies are being tripped.
• Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
• Domain controllers respond slowly to client requests.
• The network is congested.
• Various security-related Web sites cannot be accessed.
• Various security-related tools will not run. For a list of known tools, visit the following Microsoft Web page, and then click the Analysis tab for information about Win32/Conficker.D. For more information, visit the following Microsoft Web page:
  
  http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D

• Exploitation of the vulnerability that is patched by security update 958644 (MS08-067)
• The use of network shares
• The use of AutoPlay functionality

• Use strong administrator passwords that are unique for all computers.
• Do not log on to computers by using Domain Admin credentials or credentials that have access to all computers.
• Make sure all systems have the latest security updates applied.
• Disable the Autoplay features. For more information, see step 3 of the "Create a Group Policy object" section.
• Remove excessive rights to shares. This includes removing write permissions to the root of any share.

Stop Win32/Conficker from spreading by using Group Policy settings

• Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
• This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
  
  
  
  
  
  
  
• You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (Configuration Manager 2007), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
• For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article.
  

Create a Group Policy object

1. Set the policy to remove write permissions to the following registry subkey:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
   
   This prevents the randomly named malware service from being created in the netsvcs registry value.
   
   To do this, follow these steps:
   
   1. Open the Group Policy Management Console (GPMC).
   2. Create a new GPO. Give it any name that you want.
   3. Open the new GPO, and then move to the following folder:
      
      Computer Configuration\Windows Settings\Security Settings\Registry
   4. Right-click Registry, and then click Add Key.
   5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
      
      Software\Microsoft\Windows NT\CurrentVersion\Svchost
   6. Click OK.
   7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
   8. Click OK.
   9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   10. Click OK.
2. Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.
   
   To do this, follow these steps:
   
   1. In the same GPO that you created earlier, move to the following folder:
      
      Computer Configuration\Windows Settings\Security Settings\File System
   2. Right-click File System, and then click Add File.
   3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
   4. Click OK.
   5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
   6. Click OK.
   7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   8. Click OK.
3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.
   
   
   NoteDepending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:
   
   
   • To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582 installed (described in security bulletin MS08-038).
   • To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582, update 967715, or update 953252 installed.
   
   
   To set AutoPlay (Autorun) features to disabled, follow these steps:
   
   1. In the same GPO that you created earlier, move to one of the following folders:
      
      • For a Windows Server 2003 domain, move to the following folder:
        
        Computer Configuration\Administrative Templates\System
      • For a Windows 2008 domain, move to the following folder:
        
        Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
   2. Open the Turn off Autoplay policy.
   3. In the Turn off Autoplay dialog box, click Enabled.
   4. In the drop-down menu, click All drives.
   5. Click OK.
4. Close the Group Policy Management Console.
5. Link the newly created GPO to the location that you want it to apply to.
6. Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
7. After the Group Policy settings have propagated, clean the systems of malware.
   
   To do this, follow these steps:
   
   1. Run full antivirus scans on all computers.
   2. If your antivirus software does not detect Conficker, you can use the Microsoft Safety Scanner to clean the malware. For more information, visit the following Microsoft Web page: http://www.microsoft.com/security/scanner/Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.

Run the Microsoft Safety Scanner.

Manual steps to remove the Win32/Conficker virus

• These manual steps are not required any longer and should only be used if you have no antivirus software to remove the Conficker virus.
• Depending on the Win32/Conficker variant that the computer is infected with, some of these values referred to in this section may not have been changed by the virus.

1. Log on to the system by using a local account.
   
   
   Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged on user credentials. This behavior allows for the malware to spread.
2. Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.
   
   
   Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on production servers because this step will affect network resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.
   
   
   To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps:
   
   1. Depending on your system, do the following:
      
      • In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
      • In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
   2. Double-click Server.
   3. Click Stop.
   4. Select Disabled in the Startup type box.
   5. Click Apply.
3. Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
4. Stop the Task Scheduler service.
   
   • To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
   • To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.
     
     ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
     
     322756 How to back up and restore the registry in Windows
     1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
     2. Locate and then click the following registry subkey:
        
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
        
     3. In the details pane, right-click the Start DWORD entry, and then click Modify.
     4. In the Value data box, type 4, and then click OK.
     5. Exit Registry Editor, and then restart the computer.
        
        
        
        Note The Task Scheduler service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on Windows Vista and Windows Server 2008 because this step will affect various built-in Scheduled Tasks. As soon as the environment is cleaned up, re-enable the Server service.
        
5. Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:
   
   http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
   Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a computer.
6. Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:
   
   http://technet.microsoft.com/en-us/library/cc875814.aspx
7. In Registry Editor, locate and then click the following registry subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
   
8. In the details pane, right-click the netsvcs entry, and then click Modify.
9. If the computer is infected with the Win32/Conficker virus, a random service name will be listed.
   
   
   Note With Win32/Conficker.B, the service name was random letters and was at the bottom of the list. With later variants, the service name may be anywhere in the list and may seem to be more legitimate. If the random service name is not at the bottom, compare your system with the "Services table" in this procedure to determine which service name may have been added by Win32/Conficker. To verify, compare the list in the "Services table" with a similar system that is known not to be infected.
   
   
   Note the name of the malware service. You will need this information later in this procedure.
10. Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.
    
    
    
    Notes about the Services table
    • All the entries in the Services table are valid entries, except for the items that are highlighted in bold.
    • The items that are highlighted in bold are examples of what the Win32/Conficker virus may add to the netsvcs value in the SVCHOST registry key.
    • This may not be a complete list of services, depending on what is installed on the system.
    • The Services table is from a default installation of Windows.
    • The entry that the Win32/Conficker virus adds to the list is an obfuscation technique. The highlighted, malicious entry that is supposed to resemble the first letter is a lowercase "L." However, it is actually an uppercase "I." Because of the font that is used by the operating system, the uppercase "I" seems to be a lowercase "L."

    Services table

    Windows Server 2008	Windows Vista	Windows Server 2003	Windows XP	Windows 2000
    AeLookupSvc	AeLookupSvc	AppMgmt	6to4	EventSystem
    wercplsupport	wercplsupport	AudioSrv	AppMgmt	Ias
    Themes	Themes	Browser	AudioSrv	Iprip
    CertPropSvc	CertPropSvc	CryptSvc	Browser	Irmon
    SCPolicySvc	SCPolicySvc	DMServer	CryptSvc	Netman
    lanmanserver	lanmanserver	EventSystem	DMServer	Nwsapagent
    gpsvc	gpsvc	HidServ	DHCP	Rasauto
    IKEEXT	IKEEXT	Ias	ERSvc	Iaslogon
    AudioSrv	AudioSrv	Iprip	EventSystem	Rasman
    FastUserSwitchingCompatibility	FastUserSwitchingCompatibility	Irmon	FastUserSwitchingCompatibility	Remoteaccess
    Ias	Ias	LanmanServer	HidServ	SENS
    Irmon	Irmon	LanmanWorkstation	Ias	Sharedaccess
    Nla	Nla	Messenger	Iprip	Ntmssvc
    Ntmssvc	Ntmssvc	Netman	Irmon	wzcsvc
    NWCWorkstation	NWCWorkstation	Nla	LanmanServer
    Nwsapagent	Nwsapagent	Ntmssvc	LanmanWorkstation
    Rasauto	Rasauto	NWCWorkstation	Messenger
    Rasman	Rasman	Nwsapagent	Netman
    Iaslogon	Iaslogon	Iaslogon	Iaslogon
    Remoteaccess	Remoteaccess	Rasauto	Nla
    SENS	SENS	Rasman	Ntmssvc
    Sharedaccess	Sharedaccess	Remoteaccess	NWCWorkstation
    SRService	SRService	Sacsvr	Nwsapagent
    Tapisrv	Tapisrv	Schedule	Rasauto
    Wmi	Wmi	Seclogon	Rasman
    WmdmPmSp	WmdmPmSp	SENS	Remoteaccess
    TermService	TermService	Sharedaccess	Schedule
    wuauserv	wuauserv	Themes	Seclogon
    BITS	BITS	TrkWks	SENS
    ShellHWDetection	ShellHWDetection	TrkSvr	Sharedaccess
    LogonHours	LogonHours	W32Time	SRService
    PCAudit	PCAudit	WZCSVC	Tapisrv
    helpsvc	helpsvc	Wmi	Themes
    uploadmgr	uploadmgr	WmdmPmSp	TrkWks
    iphlpsvc	iphlpsvc	winmgmt	W32Time
    seclogon	seclogon	wuauserv	WZCSVC
    AppInfo	AppInfo	BITS	Wmi
    msiscsi	msiscsi	ShellHWDetection	WmdmPmSp
    MMCSS	MMCSS	uploadmgr	winmgmt
    browser	ProfSvc	WmdmPmSN	TermService
    winmgmt	EapHost	xmlprov	wuauserv
    SessionEnv	winmgmt	AeLookupSvc	BITS
    ProfSvc	schedule	helpsvc	ShellHWDetection
    EapHost	SessionEnv		helpsvc
    hkmsvc	browser		xmlprov
    schedule	hkmsvc		wscsvc
    AppMgmt	AppMgmt		WmdmPmSN
    sacsvr			hkmsvc

11. In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry was "Iaslogon." Using this information, follow these steps:
    
    1. In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
       
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
       For example, locate and then click the following registry subkey:
       
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iaslogon
    2. Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
    3. In the Permissions Entry for SvcHost dialog box, click Advanced.
    4. In the Advanced Security Settings dialog box, click to select both of the following check boxes:
       
       Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
       
       Replace permission entries on all child objects with entries shown here that apply to child objects.
12. Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLL that loads as "ServiceDll." To do this, follow these steps:
    
    1. Double-click the ServiceDll entry.
    2. Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following:
       

        %SystemRoot%\System32\doieuln.dll 

       Rename the reference to resemble the following:
       

        %SystemRoot%\System32\doieuln.old 

    3. Click OK.
13. Remove the malware service entry from the Run subkey in the registry.
    
    1. In Registry Editor, locate and then click the following registry subkeys:
       
       HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    2. In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 12b. Delete the entry.
    3. Exit Registry Editor, and then restart the computer.
14. Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then verify that it is a valid Autorun.inf file. The following is an example of a typical valid Autorun.inf file.
    

    [autorun]
    shellexecute=Servers\splash.hta *DVD*
    icon=Servers\autorun.ico
    

    A valid Autorun.inf is typically 1 to 2 kilobytes (KB).
15. Delete any Autorun.inf files that do not seem to be valid.
16. Restart the computer.
17. Make hidden files visible. To do this, type the following command at a command prompt:
    
    reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
18. Set Show hidden files and folders so that you can see the file. To do this, follow these steps:
    
    1. In step 12b, you noted the path of the referenced .dll file for the malware. For example, you noted a path that resembles the following:
       
       %systemroot%\System32\doieuln.dll
       In Windows Explorer, open the %systemroot%\System32 directory or the directory that contains the malware.
    2. Click Tools, and then click Folder Options.
    3. Click the View tab.
    4. Select the Show hidden files and folders check box.
    5. Click OK.
19. Select the .dll file.
20. Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps:
    
    1. Right-click the .dll file, and then click Properties.
    2. Click the Security tab.
    3. Click Everyone, and then click to select the Full Control check box in the Allow column.
    4. Click OK.
21. Delete the referenced .dll file for the malware. For example, delete the %systemroot%\System32\doieuln.dll file.
22. Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using the Services Microsoft Management Console (MMC).
23. Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps:
    
    1. Depending on your system, install one of the following updates:
       
       • If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715.
         For more information, click the following article number to view the article in the Microsoft Knowledge Base:
         
         
         967715 How to disable the Autorun functionality in Windows
         
         
       • If you are running Windows Vista or Windows Server 2008, install security update 950582.
         For more information, click the following article number to view the article in the Microsoft Knowledge Base:
         
         950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
         
       Note Update 967715 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 23b.
    2. Type the following command at a command prompt:
       
       reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
       
24. If the system is running Windows Defender, re-enable the Windows Defender autostart location. To do this, type the following command at the command prompt:
    
    reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe –hide" /f
25. For Windows Vista and later operating systems, the malware changes the global setting for TCP Receive Window Autotuning to disabled. To change this setting back, type the following command at a command prompt:
    
    netsh interface tcp set global autotuning=normal

• One of the autostart locations was not removed. For example, either the AT job was not removed or an Autorun.inf file was not removed.
• The security update for MS08-067 was installed incorrectly.

Verify that the system is clean

• Automatic Updates (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Defender (windefend) (if applicable)
• Windows Error Reporting Service

1. In Registry Editor, locate and then click the following registry subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
   
2. In the details pane, double-click netsvcs, and then review the service names that are listed. Scroll down to the bottom of the list. If the computer is reinfected with Conficker, a random service name will be listed. For example, in this procedure, the name of the malware service is "Iaslogon."

After the environment is fully cleaned

1. Re-enable the Server service and the Task Scheduler service.
2. Restore the default permissions on the SVCHOST registry key and the Tasks folder. This should be reverted to the default settings by using Group Policy settings. If a policy is only removed, the default permissions may not be changed back. See the table of default permissions in the "Mitigation steps" section for more information.
   
   
3. Update the computer by installing any missing security updates. To do this, use Windows Update, Microsoft Windows Server Update Services (WSUS) server, Systems Management Server (SMS), System Center Configuration Manager (Configuration Manager 2007), or your third-party update management product. If you use SMS or Configuration Manager 2007, you must first re-enable the Server service. Otherwise, SMS or Configuration Manager 2007 may be unable to update the system.