[Boz]

Кину сюда, чтобы не потерялось. Дополнительная инфа тут: http://support.microsoft.com/kb/962007.

Цитата:

Conficker Worm

Saturday 24 January 2009 By NeutronIC [Matthew Peddlesden]

Abstract:
Having just experienced this delight of modern software engineering (cue much gnashing of teeth) I thought i'd pass on some notes for everyone here.

Note: None of this replaces anything your virus checker can and should be doing. Please make sure your Anti Virus software is up to date AND running.

We use Sophos Enterprise at work and have found that while it happily flashes up "hey you're infected" it actually does nothing about preventing OR removing it.

Please take this seriously, there are around 9 MILLION machines infected with this worm, world wide and it is by far the most prolific worm ever (the next most prolific was Storm, which only got to a paltry 1 million hosts).

Before we continue, if you run a network and you find any of your machines have got the worm then I strongly advise you immediately unplug and isolate every machine, either as I did by simply unplugging the switches/hubs OR if that's not viable, then just unplug every machine from the network - you will NOT be able to keep up with it replicating around your network re-infecting machines.

The Conficker worm can be detected very easily, click Start and then Run, then type “cmd” and press enter. This will start a command prompt window.

DETECTION:
From the command prompt window, type:

cd windowssystem32
dir /arsh

(*note the direction of slashes is important*)

You will probably get one entry called “dllcache”, this is fine. You should either get nothing else, OR one other entry which looks like a seemingly random collection of letters and is a DLL file.

If you do have a randomly named DLL file (e.g. bofhsd.dll) showing up with the above query then you DO have the worm/virus and should immediately remove the computer from your network.

To clean the virus:

Step 1: Stop it from running
Open task manager, click processes, find all the “svchost.exe” processes. One of them will be much bigger than the rest, usually it’s using about 25-30 megabytes of ram, but some times it’s less – it is however usually the biggest. Next, open a command prompt and type (but do NOT press enter) “shutdown –a”, this is useful if you shut the wrong svchost down as it will prevent the machine from rebooting. Now end-task the biggest svchost. If it says “machine shutting down in 30 seconds” – immediately press enter on the shutdown –a command and this will abort the shutdown sequence. When you find the correct one, it does NOT cause this message. Once it’s shut down you will be able to delete the DLL file.

Step 2: Remove the Worm

Please be very careful with this step if you're not familiar with explorer, deleting or moving the wrong files can render your machine unbootable.

Open Windows Explorer, navigate to C:windowssystem32. Click tools / folder options, then select the view tab. Tick “Show Hidden Files or Folders”. Untick “Hide Protected Operating System Files” and accept the warning. Now refresh the view of C:windowssystem32 and find the DLL file that you identified in the detection steps above.

Right click on the dll file and select properties. Select the Security tab. Select the “Everyone” user and then see what options are available – if the boxes below are available for selection, tick them all. If not, click advanced, select the ownership tab, highlight your user account and press “apply”, this will take ownership of the file. Press OK to come out, then go back to properties/security and you should find the boxes now available for selection. Tick them all and press ok.

You should now be able to simply DELETE the dll file. If you cannot, because it says “access denied”, this likely means that the correct svchost has not yet been stopped so you will need to go back to Step 1.

REBOOT THE MACHINE.

When it comes back up, repeat the detection steps and verify that the DLL is still not present.

If all seems ok, update your A/V again and then run a full system scan.

NOTE:
You should ensure that you have KB958644 update on your system (add/remove programs, tick the "show updates" box and scroll towards the bottom) - if you don't then do a windows update urgently.

Unfortunately while this bolts some of the doors shut, it doesn't prevent it running rampant around a network.

For those who run a network, you can help yourself a lot by making sure that nobody logs in with the administrator account, nobody has the same administrator password and nobody logs in with Domain Administrator privileges.

If you have been infected, you should also check ALL your usb keys. If you find an AUTORUN.INF file of about 58kb then the key is infected and if you have autorun still enabled on your machine then chances are good that your PC just got infected again too. REMOVE the autorun.inf file, and re-clean your machine.

DISABLE autorun:

http://features.engadget.com/2004/06...un-on-windows/

Disabling autorun will mean that inserting CD's or USB drives will no longer pop up nice menus and things, but it will also prevent things like Conficker from re-installing themselves on to your computer.

Hope this helps someone!

ПыСы Чуть не забыл - microsoft казлы