I got to experience the effects of the Conficker (Downadup) worm today. Based on what I managed to find out about the virus, I learned that it spread to nearly 19 million computers in a span of twenty four hours and that the virus is a pain to get rid off if you don’t have the right Microsoft Patch. The link I’ve provided here says the following about the symptoms of the virus:
- Account lockout policies are being tripped. We had that
- Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled. We had that
- Domain controllers respond slowly to client requests. we had that
- The network is congested. we had that
- Various security-related Web sites cannot be accessed. don’t know since the virus kept us on our toes so we didn’t spend time on the Internet.
We experienced all these symptoms today. The whole affair can become a nightmare, particularly when you show up for work the next morning and find domain logon is impossible because the virus has locked all the domain accounts, including the administrators. To ensure that all our accounts could be quickly unlocked, I used the following script by modifying it to suit my domain needs. To get it to work, go to Start > Run > cmd [Enter]. In the command prompt, you can use cscript to execute the script. To get the script together, fire up notepad, copy script below and save the file with .vbs extension to run it. So, here, is the script in its totality for your use. This is courtesy of the Minasi Forum. Modify it accordingly to suit your needs. You can view/copy it from here: http://docs.google.com/Doc?id=dfqrckzj_10hpmncscr
If you’re still not sure what to do to get the script running with cscript, try the following (note: I assume you have the script placed in the root of your drive):
That will run the script and give you a message on screen telling you which accounts were locked and at the end, the script will save a log file with all the relevant data in the root of your drive. Of course this is a very temporary measure you will definitely find that your accounts are locked after a very short period of time. So, with a little more thought, I decided that the best thing to do while we worked out a solution to get rid of the virus was to schedule the script to run every minute. Using the Task Scheduler, we got the script down to a batch file which would run the script and also log every run for future tracking purposes. For the sake of information, here is the batch file I made:
@echo off
echo.
cd \
cscript c:\adu.vbs
exit
I assume you know how to save a batch file so I won’t go into the details here. But, if you’re not sure about the script or the batch file, please do not do it and get someone to assist you here. The next thing you need to do is check your security scripts/policies. Now some organizations have a policy that after three tries of a password which is incorrect, the account is locked out for security purposes. This is the happiest possible security implementation for Conficker. It will happily bombard all your accounts until they’re all locked and then start all over again. So when you unlock one account and move to the next, its locked the previous account again… cheeky bugger. The best thing you can do to kill the worm is to disable the account lockout policy and let the worm bombard itself to death – this will generally take about a week so please ensure that you review the policies after this time and test it on a group of accounts to ensure that all is safe and the people can come out of the bunker into the sunlight.
Based on Symatec’s response, this is an alternative way of getting rid of Conficker, or at least silencing it. I think larger organizations have more chances of getting the worm, particularly if flashdrive usage is supported. The only question is how soon you act on the worm once it gets in.
The dilemmas of MS OSes.