Removing W32/Confick and Mal/Conficker with Sophos Anti-Virus

This article describes how to remove Conficker from your computers if you have Sophos Anti-Virus installed. You can download the Sophos Conficker cleanup tool from the HERE: 

Issue

This article describes the actions of the viruses of the Confick family on your computers and explains how to remove them.

Please note: you must follow all of the steps in this article carefully in order to completely remove the Conficker virus outbreak on your network. This virus replicates itself very easily and re-infects computers and shared network folders. These instructions, when followed carefully, will remove the virus outbreak completely.

• Refer to the Sophos Security webpages for more information about this family of viruses.
• Confick viruses spread through the MS08-067 vulnerability.
• Microsoft released a critical security patch for this in October 2008: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
• Further information is also given at the bottom of this article.
• Ensure that all the computers on your network have anti-virus software installed and that their protection is up to date.

About the W32/Confick and Mal/Conficker 

Variants of this malware may be known by other names including: W32/Confick-A, W32/Confick-B, W32/Confick-C, Mal/Conficker-A, W32/CONFICKMEM-A, W32/CONFICKMEM-B, W32/CONFICK-D, WORM_DOWNAD.AD, W32/Conficker.worm, Worm:Win32/Conficker.gen!A, Worm:W32/Downadup, Net-Worm.Win32.Kido.

There are three main infection methods that Confick can use:

• Spreads via the MS08-67 exploit

In most cases, this is how the virus gets on the network in the first place. The virus takes advantage of the Microsoft exploit:

1. A copy of the worm is created in the Temporary Internet files folder with a JPG or PNG extension. (These are the first files to appear on the system when it is infected.)
2. A dll file is created within the System32 folder, e.g. C:\Windows\System32\amcophji.dll
3. A service is created to run the dll file
4. It runs as a handle within one of the svchost.exe processes - normally the same one running Netsvcs

You can stop it spreading by this method by applying the patch and cleaning the computer.

• Spreads via Windows file sharing 

Once on the network the virus can spread using the Microsoft exploit (above) or by accessing the file and admin shares on the network.

When it infects a computer it creates a file with a random name and a random extension within the System32 folder. A scheduled task (running as SYSTEM) will execute this file using rundll32.exe.

1. A dll file is created with a random extension and name within the System32 folder - e.g. C:\Windows\System32\zdtnx.g
2. A scheduled task(s) is created to run the above randomly named file using rundll32.exe
3. The task(s) is called AT*.job where * is a sequential number
4. It will be running within a rundll32.exe process
5. There will be one rundll32.exe process running for every scheduled task that has been created

To stop it from spreading by this method, file and print sharing must be disabled until all computers have been fully cleaned.

The Sophos on-access scanner will prevent re-infection as it prevents these scheduled tasks from running. The worm DLL file may be present on disk, but it will not be allowed to run as long as the on-access scanner is enabled.

• Spreads via removable media such as USB drives

When a removable drive is connected to an infected computer, the Conficker worm will

1. create a copy of itself in the RECYCLER\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx folder on that drive (where x consists of random numbers)
2. drop the file autorun.inf in the root director of the drive.

These files and directories are hidden.

The autorun.inf file will cause the worm to run when the drive is connected to a Windows computer with autoplay enabled, or when the drive is opened in Windows Explorer.

When the worm runs from a removable drive, it will copy itself to the Windows\system32 directory with a .dll extension and set up service registry keys in the same way as the previous infection vectors.

What to do

This is a four stage process, and you must perform all of these steps

1. Scanning Preparation
2. Quarantining the network to prevent the spread of infection
3. Locking down services to prevent spread/execution - using Windows Group Policy
4. Cleaning up the infections

You are advised to also read the knowledgebase article Sophos Anti-Virus: Tracking and finding Conficker infections.

Ensure that the settings described in the following procedure are applied to all computers. This will allow the Sophos on-access scanner to prevent the virus, whether as a service or a task, from loading on the computer .

Refer also to Current major threats: Conficker, Virtumundo

1. Scanning Preparation

• Patch ALL of the computers (infected and uninfected) with MS08-067 (KB958644)
• Set the On-access scanner policy within the Enterprise Console to:

1. On-Read
2. On-Write
3. Deselect 'Automatically Cleanup'
4. Choose 'Do Nothing' as the actions OR 'Deny Access'.

• Ensure HIPS is set to:

1. Detect Suspicious Behaviour = True
2. Detect Buffer Overflow = True
3. Alert Only = False

• Enable the scanning of all files during on-demand scans:

1. Open the Anti-Virus policy(ies) on the Enterprise Console
2. Click on 'Extensions and Exclusions'
3. Tick the box to scan all files
4. Press ok

• Ensure that the Anti-Virus policy has been applied to ALL computers
• In some cases you will need to reboot a computer. (See step 4b below.)

2. Quarantining the network to prevent the spread of infection

Do one of the following:

• Disconnect all infected computers from the network by unplugging their network cables.

OR

• Use client-side firewalls to prevent network access:

If using Sophos Client Firewall (which must be installed on all client computers - see your licence to ensure you are able to use the product):

1. Open Enterprise Console and edit the Firewall policy
2. Go to the LAN tab and deselect the NETBIOS options for all network connections

If using Windows Firewall via Group Policy:

1. Edit your Group Policy for ALL computers
2. The setting can be found under Computer Configuration|Administrative Templates|Network|Network Connections |Windows Firewall|Domain Profile|Windows Firewall: Allow file and printer sharing exception
3. Double click and choose to disable.

NOTE:

Using either of these methods could prevent Sophos updates from being downloaded, we suggest that you either :

1. Add an exception to allow file and print sharing access to your EM Console server/update servers
2. Setup a WebCID to allow updates to be carried out through HTTP, please see article: 38238

3. Locking down services to prevent spread/execution - using Windows Group Policy

• Disable Task Scheduler Service - (note, scheduled scans will not work after this, you can still use the right-click 'Full System Scan' from the Enterprise Console.) 

1. Computer Configuration|Windows Settings|Security Settings|System Services
2. Locate the 'Task Scheduler' Service
3. Define this policy.
4. Set to 'Disabled'

• Disable USB Autoplay. This must be done correctly as described in the Microsoft knowledgebase http://support.microsoft.com/kb/953252. If this is not done correctly the worm may be able to execute if the USB drive is opened in Explorer or double-clicked from My Computer.

All of the above can be re-enabled when you are satisfied that your entire system is clean and that they have all been patched against MS08-67..

4. Cleaning up the infections

Depending on which action you took in 2 above, do one of the following:

Computers have been disconnected: 

• Logon with local administrator rights. Do not log on as a domain administrator.
• Open Quarantine Manager, select all items and click 'Clear from List'.
• Run a full system scan. One of the following will result:

1. If the full scan reported an instance of W32/ConfickMEM-A or W32/ConfickMEM-B, clean up this item from the QM and then immediately perform another full scan and cleanup again.  W32/ConfickMEM-A or W32/ConfickMEM-B indicates an active Conficker infection on this computer, so it should be cleaned up as a priority compared to other Conficker detections. This cleanup will terminate the worm in memory and allow the second full scan to detect the worm files on disk.
2. If the full scan reported that one or more files in the Windows\system32 directory could not be scanned (Error text: '<filename> returned SAV Interface error 0xa0040210: The file could not be accessed') and there were no instances of W32/ConfickMEM-A or W32/ConfickMEM-B reported in the scan, ensure the on-access scanner is enabled as described above, then reboot the computer and perform another full scan. 

• This computer may have an active infection of Conficker that is preventing the file on disk from being scanned. Rebooting allows the on-access scanner to stop the worm loading and allow the file to be scanned.
• Run cleanup from the quarantine manager once the scan has finished.
• Cleanup may prompt for a reboot in order to remove all the components.
• Scan the machine again to ensure that it is clean.

Client-side Firewalls have been used to prevent file sharing: 

In Enterprise Console:

1. Acknowledge alerts and errors within the Enterprise Console.
2. Scan all computers at the same time by right-clicking on them in the console and selecting 'Full System Scan'.
3. Run cleanup on all computers by right-clicking and selecting 'Cleanup threats'.
4. Cleanup may prompt for a reboot in order to remove all the components.
5. Scan the computers again.
6. Cleanup again if required.

5. Re-infection

If Windows file sharing cannot be disabled, or if an infected computer or USB stick is introduced into the network, reinfection of computers that have already been cleaned up may occur. In these cases, computers running the Sophos on-access scanner are protected against reinfection but will still receive a copy of the worm DLL via file sharing from the infected computer.

These instances will be reported in the Quarantine manager as on-access detections and should be treated as a secondary concern; priority should be given to cleaning up computers with an active detection of Conficker as described above.

Once all computers with an active Conficker infection (i.e. W32/ConfickMEM-A or W32/ConfickMEM-B, as described in Section 4, step 3,1) have been cleaned up, the worm DLLs on uninfected computers can be removed via a full scan and cleanup, and will not return.

Further background information

Refer to the Sophos Security webpages for more information about this family of viruses.

Confick viruses spread through the MS08-067 vulnerability. Microsoft released a critical security patch for this in October 2008: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

1. To check if the patch is installed, go into Add\Remove Programs and look for KB958644 (ensure that the 'Show updates' box at the top is ticked).
2. Enable HIPS and BOPs and make sure that "Alert only" is switched off. This should prevent re-infection, however HIPS does not block the virus from running.
3. This infection also spreads via network shares. It tries to crack passwords of user accounts using a crude dictionary. If an account cannot be cracked it may end up being locked out because of incorrect password attempts (depending on how Active Directory has been set up).
4. The virus seems to copy a random file name with random file extension to the c:\windows\system32 folder. It also creates a scheduled task named ATx.job - where x is a number. The scheduled task seems to run the file in the system32 folder.
5. The virus may try to contact a number of websites, some of which are legitimate
6. It will try to obtain updates for itself from various domains. The use of client firewalls will greatly help to stop the spread of the virus.
7. This virus will also spread via USB drives and other removable devices, please ensure that they are scanned and cleaned before using them again.
8. You can prevent the creation of new scheduled tasks via a group policy using the following article- http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/92819.mspx?mfr=true
9. Using the firewall methods above will prevent Sophos updates from working. There are two ways around this:

• Setup the secondary server details within the Enterprise Console's updating policy so that the computers can update from Sophos - see article: 12354
• Add an exception to the firewall policies to allow File and Print sharing connections to the EM Console/EM Library server(s). This can cause the server(s) to be infected as client computers are able to access them.

10. The files that are dropped on the computers are related to the computer name. This means that for a given variant of Conficker, the file name of the dropped DLL on a certain computer will always have the same random name.

Source : http://www.sophos.com/.