This article describes how to remove Conficker from your computers if you have Sophos Anti-Virus (SAV) installed.
If you choose not to use SAV you can download and run the Sophos Virus Removal tool, in which case follow the instructions in this article: Sophos Virus Removal Tool (Note: this tool is only available for Windows.)
Aliases Variants of this malware may be known by other names including: W32/Confick-A, W32/Confick-B, W32/Confick-C, Mal/Conficker-A, W32/CONFICKMEM-A, W32/CONFICKMEM-B, W32/CONFICK-D, WORM_DOWNAD.AD, W32/Conficker.worm, Worm:Win32/Conficker.gen!A, Worm:W32/Downadup, Net-Worm.Win32.Kido
This article describes the actions of the viruses of the Confick family on your computers and explains how to remove them.
Note: You must follow all of the steps in this article carefully in order to completely remove the Conficker virus outbreak on your network. This virus replicates itself very easily and re-infects computers and shared network folders. These instructions, when followed carefully, will remove the virus outbreak completely.
First seen in Sophos Anti-Virus for Windows 2000+
Operating system Microsoft Windows
There are three main infection methods that Confick can use:
1. Spreads via the MS08-67 exploit In most cases, this is how the virus gets on the network in the first place. The virus takes advantage of the Microsoft exploit:
You can stop it spreading by this method by applying the patch and cleaning the computer.
2. Spreads via Windows file sharing Once on the network the virus can spread using the Microsoft exploit (above) or by accessing the file and admin shares on the network.
When it infects a computer it creates a file with a random name and a random extension within the System32 folder. A scheduled task (running as SYSTEM) will execute this file using rundll32.exe.
To stop it from spreading by this method, file and print sharing must be disabled until all computers have been fully cleaned.
The Sophos on-access scanner will prevent re-infection as it prevents these scheduled tasks from running. The worm DLL file may be present on disk, but it will not be allowed to run as long as the on-access scanner is enabled.
3. Spreads via removable media such as USB drives When a removable drive is connected to an infected computer, the Conficker worm will
These files and directories are hidden.
The autorun.inf file will cause the worm to run when the drive is connected to a Windows computer with autoplay enabled, or when the drive is opened in Windows Explorer.
When the worm runs from a removable drive, it will copy itself to the Windows\system32 directory with a .dll extension and set up service registry keys in the same way as the previous infection vectors.
This is a four stage process, and you must perform all of these steps
You are advised to also read the knowledgebase article Sophos Anti-Virus: Tracking and finding Conficker infections.
Ensure that the settings described in the following procedure are applied to all computers. This will allow the Sophos on-access scanner to prevent the virus, whether as a service or a task, from loading on the computer .
1. Scanning Preparation
2. Quarantining the network to prevent the spread of infection
Do one of the following:
3. Locking down services to prevent spread/execution - using Windows Group Policy
All of the above can be re-enabled when you are satisfied that your entire system is clean and that they have all been patched against MS08-67..
4. Cleaning up the infections
Depending on which action you took in 2 above, do one of the following:
If Windows file sharing cannot be disabled, or if an infected computer or USB stick is introduced into the network, reinfection of computers that have already been cleaned up may occur. In these cases, computers running the Sophos on-access scanner are protected against reinfection but will still receive a copy of the worm DLL via file sharing from the infected computer.
These instances will be reported in the Quarantine manager as on-access detections and should be treated as a secondary concern; priority should be given to cleaning up computers with an active detection of Conficker as described above.
Once all computers with an active Conficker infection (i.e. W32/ConfickMEM-A or W32/ConfickMEM-B, as described in Section 4, step 3,1) have been cleaned up, the worm DLLs on uninfected computers can be removed via a full scan and cleanup, and will not return.
Further background information
Refer to the Sophos Security webpages for more information about this family of viruses.
Confick viruses spread through the MS08-067 vulnerability.
Microsoft released a critical security patch for this in October 2008: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.