Conficker/Downadup Info for Scanning and Removal

With all the attention the Conficker worm (aka Downadup) has garnered with it's deep penetration of the Windows ecosystem, we're including links and information to help folks scan their Windows-based computers, virtual machines, or entire networks for infected devices along with some help on removing any infections found.

In-depth Conficker/DownadupReference

Here is a resource by Symantec explaining Conficker. They include a nice piece by 60 Minutes explaining Conficker in non-technical terms. We've included additional reference links below.

Quick Machine Test for Conficker Infection

The Conficker Working Group has created a simple web page to help you determine if your machine is infected. Since Conficker blocks access to various security sites, this simple attempt to load logos can quickly tell you if you are infected. If some of the logos do not load, you might be infected. Click here to visit their quick and easy test.

Quick Scan for Your Network for Conficker Infections or Vulnerabilities

If you want to quickly scan your entire network for Conficker infections or Conficker vulnerabilities, use nmap. I found a great example of how to do this at OS X Daily. As noted in the original article, be sure to change the IP address range to match your network, and the relevant code is here:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 192.168.0.1-254

The scan will tell you if any Windows machines are actually infected or lack the patch to prevent infection and are vulnerable.

Other Conficker/Downadup References

• Cisco Conficker Analysis
• Trend Micro's Conficker Page
• McAfee's Conficker Page
• Conficker Infection Distribution Maps from the Conficker Working Group