This article explains how to track and find Conficker infections on your network
First seen in Sophos Anti-Virus for Windows 2000+
Operating system Microsoft Windows
For details on how to clean Conficker from your network, please see the following knowledgebase article Removing W32/Confick and Mal/Conficker.
About the virus
Conficker will spread using three methods:
Please see the article Removing W32/Confick and Mal/Conficker for removal and more details on how to stop the spread.
Conficker will only spread from unprotected computers. Computers with the latest version of Sophos Anti-Virus and the correct scanner settings (see article 51169) will not be able to execute the Conficker files.
You may get lots of alerts for Conficker in your Enterprise Console/Control Center, these are not your priority, you will need to track down the unprotected computers that are physically executing and therefore spreading Conficker.
There are a few tools which you can use to track and find Conficker infected computers on your network
Scenario A - Conficker is spreading by using the exploit
Firstly on a well managed network this should not happen. If Conficker is spreading by using the exploit you have not patched your computers with MS08-067. This patch applied to all Windows NT based operating systems regardless of the service pack. Patch your computers!
In this scenario, you can only track the source of the infection by installing Wireshark on a target computer.
Scenario B - Conficker is spreading by using file and print sharing
This is the most common method of spreading for Conficker, since it will still work even if the computers are patched with MS08-067. There are several ways of tracking these types of infection: 1. The best way of tracking infected computers is by using the Security Event logs on your Domain Controller.
If you have more than one Domain Controller, you will need to check each of the Security Event logs for failure audits.
2. The second best method of tracking computers is to use a Network monitoring tool - in this example, Wireshark.
3. The third method of tracking computers is to use the Sophos Client Firewall (if you are licensed for it).
Conficker will not be able to spread if you have followed the article 51169 fully
Scenario C - Conficker is spreading by using USB pen/removable media
Sophos Anti-Virus will detect the infected USB pen with a W32/ConfInf detection. You will need to speak with the user of that computer and ask them to clean or format the USB pen
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.