Removing Conficker/Downadup from Your Network Using Active Directory

A couple of security companies have provided some neat freeware tools for network administrators to cleanup the downadup worm within their business networks. Some examples of these tools are:
1. Kaspersky Administration kit
2. Bitdefender Network Removal Tool
3. Sophos Conficker Network Cleanup Tool

These tools provide an automated deployment and disinfection for multiple computers at once.

However, I was called to an enterprise client who was suffering from a Downadup outbreak last May. The client had approximately 4000 computers across 6-8 domains. There was one problem though; since the network tools were not provided by the antivirus vendor they had installed, the client was not comfortable to install any third-party software on their servers. Luckily, they were ok with using the tiny, fast and silent Kaspersky kk.exe program. Now, I had to figure out to run this tool across all the infected machines for each domain. This is how I did it:

The Best Freeware Tools to Detect and Remove the Conficker/Downadup/Kido worm

In my previous post I have talked about how to manually clean and remove the downadup worm. I wrote that article back in March, 2009 when new variants of downadup started to appear in which antivirus venders haven't yet developed definitions for. However, since mid-April I havent personally encountered any new or unique variants of downadup. I started to do a quick evaluation of almost all the conflicker removal tools listed here:
http://isc.sans.org/diary.html?storyid=5860
The tests were made on infected live machines and networks. The results I have found are:

The best downadup detection tool:

Mcafee Conficker Detection Tool: http://www.mcafee.com/us/enterprise/confickertest.html
This program ROCKS! The only two products from Mcafee that I would recommend every enterprise to have: Secureweb and Mcafee Conficker Detection Tool.
The detection tool requires no installation, very easy to use and extremely fast. I have been using this tool since April after Mcafee fixed a bug in it. Every business that I have recommended the tool to them have highly praised it and love it so much.

The best downadup removal tool:

I have found that the kaspersky Kido Killer is the best so far. It requires no installation and no reboot for removal. It is very fast and effective. It has worked with different variants that I have come across offline. Sadly, when I tested the Bitdefender Conflicker removal tool (which I thought was good) on some machines, it did not succesfully remove one of the variants although it did detect it.

KK.exe has some neat command line that not only removes the infection, it can also restore the windows services that were disabled (does not restore windefender and security center though), restores the display of hidden system files, disables autorun, restore safeboot keys and many more.

I commonly use the following command line:
kk.exe -j -a -x -l report.txt

Windefender and the windows Security center can then be restored by the following command lines:
sc config wscsvc start= auto
sc config winDefend start= auto
sc start wscsvc
sc start WinDefend

The worst tool I came across was Symantec Downadup removal tool. It took over 6 hours scanning and since I am impatient I gave up and had to abort it. I could not tell if it actually does detect or remove the worm.

How to Manually Remove the Downadup/Conficker/Kido Worm

1. The quickest way to know if a Win 2k, 2k3, XP, Vista or 2k8 machine is infected regardless of the conflicker variant (even if it was a user-mode rookit - such rootikit only hides the dll file and its service key) , is by running this command-line:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v netsvcs
I use a batch file to do this. Based on the results, you can then detemine the randomly generated name of the windows service of the infection. e.g. abcde. It is usually found at the end of the list. If there is no randomly named service listed then most likely conficker is not there.

Another quick way to determine if conficker exist, is by running gmer. The results of the quick scan that gmer runs when starting would show that C:\windows\system32\svchost.exe is hidden and highlighted in red. But at the end, you will need to know the service name associated with conficker by going through the netsvcs list.

2. End process of the svchost.exe associated with netsvc, by using tasklist /svc and taskkill pid

3. Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\abcde
You may not view the contents of the key since the permissions were removed by the infection.
right-click the abcde key > permission > add > everyone > select full control > ok > F5 to refresh > go to the parameters key and take not the path of the dll
e.g. c:\windows\system32\wxyz.dll

4. Use fixpolicies.exe to reset policies that were added by the worm, such as disabling viewing system files.

5. Look for the dll file located at C:\windows\system32\
right-click the dll file > properties > uncheck read-only > ok > then delete the file. If the file cannot be deleted try stopping the service first.
In case you cannot find the file, you will need to use gmer and browse for the file from the files tab. Then use the delete button on the right.

6. Use the following command-line to delete the service:
sc delete abcde

7. Reboot the computer

8. You can create a batch file to restore the following windows services:

sc config wscsvc start= auto
sc config winDefend start= auto
sc config wuauserv start= auto
sc config BITS start= auto
sc config ERSvc start= auto
sc config WerSvc start= auto
sc start wscsvc
sc start WinDefend
sc start wuauserv
sc start BITS
sc start ERSvc
sc start WerSvc

9. Finally, make sure the machines has the latest recommended updates from microsoft:
http://windowsupdate.microsoft.com
The most important is that kb958644 is installed.

A. Elshafei