Conficker Worm: Special Removal instructions

Author:
Rabih Itani
Computing & Networking Services,
American University of Beirut

Contact:
CNS.Helpdesk
West Wing,
Van Dyck Hall,
Ext. 2260

CNS HelpDesk Pages

Students

Faculty

Staff

CNS Self Service Support:

Conficker Worm: Special instructions

What to do to protect your computer from the worm?
How to detect the presence of the worm at your computer?
How to remove the worm?
How to disable AutoRun?

What to do to protect your computer from the worm?

Make sure that you computer is patched with latest Microsoft OS updates. The patch required to protect your computer from Conficker worm has been identified by MS: MS08-067. (See http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)

Private Computer owners only: Windows XP computers can be patched from within campus network . However, Windows Vista computers currently cannot and will have to be patched form outside campus (a solution is currently in the works).
Make sure that you have anti-virus software installed and updated with latest signature definition files. Read the help for Private computer owners.
CNS recommends that you disable the “AutoRun” capability that would help protect your computer form this worm and other similar future security threats. Here is how to disable "AutoRun".
Use a solid and strong password. Using a password that's easy to guess, located in a dictionary of any language, or less than eight characters is not recommended. See CNS password recommendations.

How to detect the presence of the worm at your computer?

Users can apply a simple test for the presence of a Conficker/Downadup infection on their computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites (or similar):

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

How to remove the worm?

There are many tools to use over the Internet, CNS recommends below:

Microsoft’s Malicious Software Removal Tool (MSRT):
This too will clean Conficker infections. However, because Conficker will block access to this download if you are infected, you have two options.

The first option is to use a proxy. If that option is unavailable, then download the Conficker tool from Microsoft.
McAfee:
Download McAfee's Conficker removal tool.

There are more tools online. However, only those from known and trusted vendors should be used. Criminals are taking advantage of the Conficker fear and offering malicious tools that offer removal, but in reality do nothing of the sort.

How to disable AutoRun?

Windows XP, 2000, 2003

Click START then RUN
Type GPEDIT.MSC into the OPEN box and click OK
Under Computer Configuration, click Administrative Templates, and then System
Right click on Turn off Autoplay (Disable Autoplay on Win 2000) and select Properties
Click Enabled, and then in the dropdown select All Drives. Click OK and close the GP Editor
Reboot

Windows Vista:

Click START, type GPEDIT.MSC in the search box and hit enter
Note: You might need to enter your administrator password at this point
Under Computer Configuration, expand both Administrative Templates and Windows Components, and then click Autoplay Policies
Double click Turn off Autoplay
Reboot

If you are using Vista Home or Home Premium, you will not have access to GPEDIT. This is because only domain-based versions of Vista have the ability to use group policy tools.

IMPORTANT: Windows Vista-based and Windows Server 2008-based systems must have update 950582 (Security bulletin MS08-038) installed to take advantage of the registry key settings that disable Autorun

For operating systems that do not include Gpedit.msc, follow these steps:

Click Start, click Run (search box for Vista), type regedit in the Open box, and then click OK.
Locate and then click the following entry in the registry: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerNoDriveTypeAutorun
Right-click NoDriveTypeAutoRun, and then click Modify.
In the Value data box, type 0xFF to disable all types of drives.
If you want to be selective the following codes will apply according to Microsoft.
0x1 - Disables AutoPlay on drives of unknown type
0x4 - Disables AutoPlay on removable drives
0x8 - Disables AutoPlay on fixed drives
0x10 - Disables AutoPlay on network drives
0x20 - Disables AutoPlay on CD-ROM drives
0x40 - Disables AutoPlay on RAM disks
0x80 - Disables AutoPlay on drives of unknown type
0xFF - Disables AutoPlay on all kinds of drives
Click OK, and then exit Registry Editor.
Restart the computer.