Professional Documents
Culture Documents
System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be
On This Page
• Summary
• Symptoms of infection
• Propagation methods
• Prevention
• Mitigation steps
• Recovery
Services table
Summary
The information in this Knowledge Base article is intended for business environments that have system administrators who can
implement the details in this article. There is no reason to use this article if your antivirus program is cleaning the virus correctly and if
your systems are fully updated. To confirm that the system is clean of the Conficker virus, perform a quick scan from the following Web
page:
http://safety.live.com
For detailed information about the Conficker virus, visit the following Microsoft Web page:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker
Symptoms of infection
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following
symptoms:
• Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services
are disabled.
• Various security-related tools will not run. For a list of known tools, visit the following Microsoft Web page, and then
click the Analysis tab for information about Win32/Conficker.D. For more information, visit the following Microsoft Web
page:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D
For more information about Win32/Conficker, visit the following Microsoft Malware Protection Center Web page:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker
Propagation methods
Therefore, you must be careful when you clean a network so that the threat is not reintroduced to systems that have previously been
cleaned.
Note The Win32/Conficker.D variant does not spread to removable drives or shared folders over a network. Win32/Conficker.D is
Prevention
• Use strong administrator passwords that are unique for all computers.
• Do not log on to computers by using Domain Admin credentials or credentials that have access to all computers.
• Make sure all systems have the latest security updates applied.
• Disable the Autoplay features. For more information, see step 3 of the "Create a Group Policy object" section.
• Remove excessive rights to shares. This includes removing write permissions to the root of any share.
Mitigation steps
Notes
• Important Make sure that you document any current settings before you make any of the changes that are suggested
in this article.
• This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the
malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the
"Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the
• You may be unable to correctly install applications, service packs, or other updates while the permission changes that
are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using
Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager
(Configuration Manager 2007), as these products rely on components of Automatic Updates. Make sure that you change
the permissions back to default settings after you clean the system.
• For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned
in the "Create a Group Policy object" section, see the Default permissions table at the end of this article.
Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as
1. Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
This prevents the randomly named malware service from being created in the netsvcs registry value.
c. Open the new GPO, and then move to the following folder:
e. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
Software\Microsoft\Windows NT\CurrentVersion\Svchost
f. Click OK.
g. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
h. Click OK.
i. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable
permissions.
j. Click OK.
2. Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from
a. In the same GPO that you created earlier, move to the following folder:
c. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted
d. Click OK.
e. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both
f. Click OK.
g. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable
permissions.
h. Click OK.
2. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay
Note Depending on the version of Windows that you are using, there are different updates that you must have installed to
o To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security
o To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must
a. In the same GPO that you created earlier, move to one of the following folders:
e. Click OK.
3. Link the newly created GPO to the location that you want it to apply to.
4. Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes
five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple
hours should be enough. However, more time may be required, depending on the environment.
5. After the Group Policy settings have propagated, clean the systems of malware.
b. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT)
to clean the malware. For more information, visit the following Microsoft Web page:
http://www.microsoft.com/security/malwareremove/default.mspx
Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that
you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this
Recovery
The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that
is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
Note The MSRT does not prevent reinfection because it is not a real-time antivirus program.
You can download the MSRT from either of the following Microsoft Web sites:
http://www.update.microsoft.com
http://support.microsoft.com/kb/890830
For more information about specific deployment details for the MSRT, click the following article number to view the article in the
891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as a component of the Microsoft
Desktop Optimization Pack 6.0 or through Customer Service and Support. To obtain the Microsoft Desktop Optimization Pack, visit the
http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx
If Microsoft Security Essentials or Microsoft Forefront Client Security is running on the system, these programs also block the threat
before it is installed.
Notes
• These manual steps are not required any longer and should only be used if you have no antivirus software to remove
• Depending on the Win32/Conficker variant that the computer is infected with, some of these values referred to in this
The following detailed steps can help you manually remove Conficker from a system:
Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a
Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged
2. Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using
this method.
Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is
especially true on production servers because this step will affect network resource availability. As soon as the environment
To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps:
In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search
In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc,
b. Double-click Server.
c. Click Stop.
e. Click Apply.
2. Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
o To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious
problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps
carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a
problem occurs. For more information about how to back up and restore the registry, click the following article
a. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
c. In the details pane, right-click the Start DWORD entry, and then click Modify.
Note The Task Scheduler service should only be disabled temporarily while you clean up the malware in
your environment. This is especially true on Windows Vista and Windows Server 2008 because this step
will affect various built-in Scheduled Tasks. As soon as the environment is cleaned up, re-enable the
Server service.
2. Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft
Web site:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an
uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to
a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a
removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable
drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable
drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode
is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the
infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename
the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a
computer.
3. Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the
following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc875814.aspx
4. In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
5. In the details pane, right-click the netsvcs entry, and then click Modify.
6. If the computer is infected with the Win32/Conficker virus, a random service name will be listed.
Note With Win32/Conficker.B, the service name was random letters and was at the bottom of the list. With later variants,
the service name may be anywhere in the list and may seem to be more legitimate. If the random service name is not at
the bottom, compare your system with the "Services table" in this procedure to determine which service name may have
been added by Win32/Conficker. To verify, compare the list in the "Services table" with a similar system that is known not
to be infected.
Note the name of the malware service. You will need this information later in this procedure.
7. Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under
the last legitimate entry that is listed, and then click OK.
o All the entries in the Services table are valid entries, except for the items that are highlighted in bold.
o The items that are highlighted in bold are examples of what the Win32/Conficker virus may add to the netsvcs
o This may not be a complete list of services, depending on what is installed on the system.
o The entry that the Win32/Conficker virus adds to the list is an obfuscation technique. The highlighted,
malicious entry that is supposed to resemble the first letter is a lowercase "L." However, it is actually an uppercase
"I." Because of the font that is used by the operating system, the uppercase "I" seems to be a lowercase "L."
Services table
Windows Server Windows
Windows Server 2008 Windows Vista Windows XP
2003 2000
sacsvr hkmsvc
8. In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry
was "Iaslogon." Using this information, follow these steps:
a. In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iaslogon
b. Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
d. In the Advanced Security Settings dialog box, click to select both of the following check boxes:
Inherit from parent the permission entries that apply to child objects. Include these with entries
Replace permission entries on all child objects with entries shown here that apply to child objects.
2. Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLL that loads as
b. Note the path of the referenced DLL. You will need this information later in this procedure. For example, the
%SystemRoot%\System32\doieuln.dll
%SystemRoot%\System32\doieuln.old
c. Click OK.
2. Remove the malware service entry from the Run subkey in the registry.
a. In Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
b. In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that
loads as "ServiceDll" that you identified in step 12b. Delete the entry.
2. Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then verify that it is a valid
3. [autorun]
4. shellexecute=Servers\splash.hta *DVD*
5. icon=Servers\autorun.ico
8. Make hidden files visible. To do this, type the following command at a command prompt:
reg.exe add
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v
9. Set Show hidden files and folders so that you can see the file. To do this, follow these steps:
a. In step 12b, you noted the path of the referenced .dll file for the malware. For example, you noted a path that
%systemroot%\System32\doieuln.dll
In Windows Explorer, open the %systemroot%\System32 directory or the directory that contains the malware.
e. Click OK.
3. Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps:
c. Click Everyone, and then click to select the Full Control check box in the Allow column.
d. Click OK.
2. Delete the referenced .dll file for the malware. For example, delete the %systemroot%\System32\doieuln.dll file.
3. Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using the Services Microsoft
4. Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps:
If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For
more information, click the following article number to view the article in the Microsoft Knowledge Base:
If you are running Windows Vista or Windows Server 2008, install security update 950582. For more
information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 MS08-038: Vulnerability in Windows Explorer could allow remote code execution
b. Note Update 967715 and security update 950582 are not related to this malware issue. These updates must
2. If the system is running Windows Defender, re-enable the Windows Defender autostart location. To do this, type the
3. For Windows Vista and later operating systems, the malware changes the global setting for TCP Receive Window
Autotuning to disabled. To change this setting back, type the following command at a command prompt:
If, after you complete this procedure, the computer seems to be reinfected, either of the following conditions may be true:
• One of the autostart locations was not removed. For example, either the AT job was not removed or an Autorun.inf file
This malware may change other settings that are not addressed in this article. Please visit the following Microsoft Malware Protection
http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker
To do this, type the following commands at the command prompt. Press ENTER after each command:
After each command runs, you will receive a message that resembles the following:
SERVICE_NAME: wuauserv
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
To verify the status of the SvcHost registry subkey, follow these steps:
1. In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
2. In the details pane, double-click netsvcs, and then review the service names that are listed. Scroll down to the bottom
of the list. If the computer is reinfected with Conficker, a random service name will be listed. For example, in this
If these steps do not resolve the issue, contact your antivirus software vendor. For more information about this issue, click the
following article number to view the article in the Microsoft Knowledge Base:
If you do not have an antivirus software vendor, or your antivirus software vendor cannot help, contact Microsoft Consumer Support
2. Restore the default permissions on the SVCHOST registry key and the Tasks folder. This should be reverted to the
default settings by using Group Policy settings. If a policy is only removed, the default permissions may not be changed
back. See the table of default permissions in the "Mitigation steps" section for more information.
3. Update the computer by installing any missing security updates. To do this, use Windows Update, Microsoft Windows
Server Update Services (WSUS) server, Systems Management Server (SMS), System Center Configuration Manager
(Configuration Manager 2007), or your third-party update management product. If you use SMS or Configuration Manager
2007, you must first re-enable the Server service. Otherwise, SMS or Configuration Manager 2007 may be unable to update
the system.
If you have problems identifying systems that are infected with Conficker, the details provided in the following TechNet blog may help:
http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx
The following table shows default permissions for each operating system. These permissions are in place before you apply the changes
that we recommend in this article. These permissions may differ from the permissions that are set in your environment. Therefore, you
must note your settings before you make any changes. You must do this so that you can restore your settings after you clean the
system.
Windows Windows
Operating Windows Windows Windows
Server Server
system Vista XP 2000
2008 2003
Setting Svchost Tasks Svchost Tasks Svchost Tasks Svchost Tasks Svchost Tasks
Registry Folder Registry Folder Registry Folder Registry Folder Registry Folder
Account
Administrator Full Control Full Control Full Control Full Control Full Full Control Full Full Control Full Full Control
s (Local Control Control Control
Group)
System Full Control Full Control Full Control Full Control Full Full Control Full Full Control Full Full Control
Control Control Control
Power Users not not not not Read not Read not Read not
(Local Group) applicable applicable applicable applicable applicable applicable applicable
Users (Local Special not Special not Read not Read not Read not
Group) applicable applicable applicable applicable applicable
Query Query
Value Value
Enumerate Enumerate
Subkeys Subkeys
Notify Notify
Read Read
Control Control
Authenticated not Special not Special not not not not not not
Users applicable applicable applicable applicable applicable applicable applicable applicable
Traverse Traverse
Folder Folder
Read Read
Attributes Attributes
Read Read
Extended Extended
Attributes Attributes
Read Read
Permissions Permissions
Traverse Traverse
Folder Folder
Read Read
Attributes Attributes
Read Read
Extended Extended
Attributes Attributes
Everyone not not not not not not not not not Special
applicable applicable applicable applicable applicable applicable applicable applicable applicable
Apply to:
This folder,
subfolder
and files
Traverse
Folder
List Folder
Read
Attributes
Read
Extended
Attributes
Create Files
Create
Folders
Write
Attributes
Write
Extended
Attributes
Read
Permissions
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein
is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include
typographical errors and may be revised at any time without notice. See Terms of Usefor other considerations.