The H Security Conficker Information Site

[Peaches]

3 April 2009, 17:38

The H Security Conficker information site

On this page you will find all of the important information about the Conficker worm, including how to detect it and to guard against it. Note that some manufacturers call Conficker either Kido or Downadup.

Test pages

There are several test sites that can help you check for Conficker infection. These links open a page that performs the test and shows the result.

Conficker test from The H and heise Security

Conficker test from the University of Bonn

Info pages and removal tools from AV vendors

Many anti-virus manufacturers are offering specific tools for detecting and removing Conficker. These applications do not require installation of a complete AV package. The easiest way to proceed is to download the tool on an uninfected computer, copy it onto a USB drive and then run it on the infected system. NOTE - all of these links start a file download process.

Sophos - ssconftool_10_sfx.exe

Symantec - FixDwndp.exe

F-Secure - f-downadup.zip

McAfee - Stinger_Coficker.exe

Trend Micro - SysClean-WORM_DOWNAD.zip

Kaspersky - KKiller_v3.4.3.zip

BitDefender - bd_rem_tool.zip

Eset (NOD32) - EConfickerRemover.exe

Network Scanner

Various companies offer scanners that can detect Conficker over a network. They are based on techniques developed by security researchers Felix Leder and Tillmann Werner. These techniques do require access to TCP port 445 to reach the target systems, so they will normally only work within local networks since this port should be blocked from the internet side of any firewalls.

Nmap version 4.85Beta5

To do a basic conficker scan with Nmap, run:

nmap -sC -PN -d -p445 --script=smb-check-vulns \

--script-args=safe=1 ip-address-to-scan

Nessus plugin 36036

Confickertest from McAfee

ConfickerScanner by eEye

Heise security for more info. http://www.h-online.com/security/The-H-Sec...features/113002