Infected with Conficker Worm.
Some or all of the following symptoms are present:
Network slowdown caused by infected machines hammering each other
Heavy traffic on ports 139 and 445
Machines trying to access many gibberish domains
Machines constantly broadcasting (pinging) other machines
Accounts constantly getting locked out as the worm tries to crack passwords, which results in failed logins
Many 529, 675, 680, 681 events in security logs on servers. (All basically pointing to audit failure failed logins)
The following services may be stopped or disabled on infected machines:
Background Intelligent Transfer Service
Windows Defender (if installed and not disabled by VIPRE already)
Blocks certain DNS lookups
Exploits MS08-067 vulnerability in Server service
Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites
Disables Safe Mode
Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals
All Supported Environments
The first step is to implement the steps in this Microsoft KB article. http://support.microsoft.com/kb/962007 This has to be accomplished first, or any fixes that are applied will be undone by the worm. (Please follow the article carefully. Modifying the permissions on the svchost key incorrectly can lead to total network outage resulting in having to fix every machine manually on the entire network.)
Ensure that all the Windows machines on your network are protected by VIPRE. Agents must be up to at least version 3.1.2848 to be fully protected from this threat. If there are any Agents not up to that version, or if there are any machines that do not currently have VIPRE installed, they will be the likely source of continued problems in removing Conficker.
Infected machines on the network must be located and cleaned. To do this we recommend a utility called NMAP. NMAP has built-in Conficker detection and can accurately point out infected machines by analyzing the type of network traffic that they produce. NMAP will not clean the machines identified, it simply tells you which machines need to be deep scanned and rebooted. You can download the NMAP Windows installer here: http://nmap.org/dist/nmap-5.51-setup.exe
During installation, NMAP will install WinPCap. You will need to allow this. WinPCap may already have been installed by another network sniffer. NMAP will ask to uninstall old version and install new. This is OK. You do not need the NPF service to auto-run. It will start as needed when you run NMAP. You likely will want it to add itself to system variables so Windows knows where NMAP lives no matter where the cmd prompt is running from. The machine you install this on usually requires a reboot, so it might be a good idea not to put it on servers running business-critical services that cannot be interrupted. It should not require restart unless you want NPF service to auto start which is really not needed. After the install is complete, the following procedure will direct NMAP to go hunting for any machines exhibiting Conficker like behavior.
The command to locate infected machines: (from an open cmd prompt) "nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 [target_networks] > outputfile.txt" Example: "nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 192.168.1.0-254 > c:\logs\conficker_scan1.txt" The resulting text files is a list of machines that will need a VIPRE deep scan. You may want to run NMAP scans in smaller sections of the network at a time so you do not have large log files to look through. ***Don't change the safe=1 switch or you may crash machines.***Other than the IP range and output log files, you can leave the rest of the string of commands "as is" for best results and highest safety. If you have more than one subnet -- you will need to scan each one separately.
The machines showing under the "likely infected" list are the ones you are most interested in. If VIPRE is installed on the machines, scanned & nothing is found they may just need a reboot to finish removing the worm from memory. If the machines are not rebooted they will continue to generate traffic. If rebooting does not help -- it is possible that the ms08-067 patch either is not installed or has been patched by Conficker itself so will need re-installing.
Once the identified machines have been scanned, cleaned and rebooted you will want to perform a couple more rounds of running NMAP to be certain there are no other infected machines online. Once that is done Conficker traffic should slow and then disappear as the infected machines that were causing it become clean through this process.
Once you are comfortable that everything is cleaned up and you want to lift the restrictions set earlier, you can do so now.
If you applied the GPO according to the Microsoft kb962007 article you cannot simply delete the GPO because doing that will leave the systems in a 'locked down' state.
You will need to lift the restrictions set on the svchost registry key & the windows tasks folder otherwise you may run into issues down the road installing windows updates or any other software that needs write access to those objects.
You should be able to edit the GPO & inherit the permissions from parent objects to restore the default permissions.
The MS article you used to apply the GPO has instructions for resetting the permissions. This should be left in place for a few days to ensure all the PCs on the network get the updated GPO.
You may consider leaving autorun disabled as an added layer of security against threats that use that method to spread.
VIPRE policy configuration recommendations
The policies where the general users are in I would leave the on access at half
This should not have any performance issues yet give VIPRE the chance to react faster to incoming threats before they have a chance to try to execute
If the servers run fine while at the 1/2 way setting It will not hurt to leave them at that
As long as you have the recommended exclusions in place performance shouldn't be hindered
Scanning USB devices should be left enabled across the board
Scanning rootkits should be left enabled across the board
If anything gets through ever again those settings should give you the earliest possible warning so it will be easier to contain to a much more limited number of machines if it does get on more than one.
W32.Downadup, also known as Conficker by some news agencies and
antivirus vendors, is an extremely interesting piece of malicious code
and one of the most prolific worms in recent years. It has an extremely
large infection base – estimated to be upwards of 3 million computers -
that have the potential to do a lot of damage. This is largely
attributed to the fact that it is capable of exploiting computers that
are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other
worms released over the past few years have largely targeted older
system versions, which have an ever decreasing distribution.
W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
(BID 31874), which was first discovered in late-October of 2008. It
scans the network for vulnerable hosts, but instead of flooding it
with traffic, it selectively queries various computers in an attempt to
mask its traffic instead. It also takes advantage of Universal Plug
and Play to pass through routers and gateways.
It also attempts to spread to network shares by brute-forcing
commonly used network passwords and by copying itself to removable
It has the ability to update itself or receive additional files for
execution. It does this by generating a large number of new domains to
connect to every day. The worm may also receive and execute files
through a peer-to-peer mechanism by communicating with other
compromised computers, which are seeded into the botnet by the malware
The worm blocks access to predetermined security-related websites
so that it appears that the network request timed out. Furthermore, it
deletes registry entries to disable certain security-related software,
prevent access to Safe Mode, and to disable Windows Security Alert
Download Removal tool : https://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99