conficker.d is installed by previous variants of win32
TRANSCRIPT
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
1/40
Win32/Conficker has multiple propagation methods. These include the following:
* Exploitation of the vulnerability that is patched by security update 958644 (MS08-067)* The use of network shares
* The use of AutoPlay functionality
Therefore, you must be careful when you clean a network so that the threat is not reintroduced to
systems that have previously been cleaned.
Note The Win32/Conficker.D variant does not spread to removable drives or shared folders over a
network. Win32/Conficker.D is installed by previous variants of Win32/Conficker.
Back to the top
PreventionUse strong administrator passwords that are unique for all computers.Do not log...
* Use strong administrator passwords that are unique for all computers.* Do not log on to computers by using Domain Admin credentials or credentials that have access to
all computers.
* Make sure all systems have the latest security updates applied.* Disable the Autoplay features. For more information, see step 3 of the "Create a Group Policy
object" section.
* Remove excessive rights to shares. This includes removing write permissions to the root of anyshare.
Back to the top
Mitigation stepsStop Win32/Conficker from spreading by using Group Policy settings NotesImportan...
Stop Win32/Conficker from spreading by using Group Policy settings
Notes
* Important Make sure that you document any current settings before you make any of the changes
that are suggested in this article.* This procedure does not remove the Conficker malware from the system. This procedure only
stops the spread of the malware. You should use an antivirus product to remove the Conficker malware
from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus"
section of this Knowledge Base article to manually remove the malware from the system.* You may be unable to correctly install applications, service packs, or other updates while the
permission changes that are recommended in the following steps are in place. This includes, but is not
limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services(WSUS) server, and System Center Configuration Manager (SCCM), as these products rely on
components of Automatic Updates. Make sure that you change the permissions back to default settings
after you clean the system.* For information about the default permissions for the SVCHOST registry key and the Tasks Folder
that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at
the end of this article.
Back to the top
Create a Group Policy object
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
2/40
Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit
(OU), site, or domain, as required in your environment.
To do this, follow these steps:
1. Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SvchostThis prevents the randomly named malware service from being created in the netsvcs registry
value.
To do this, follow these steps:
1. Open the Group Policy Management Console (GPMC).
2. Create a new GPO. Give it any name that you want.
3. Open the new GPO, and then move to the following folder:Computer Configuration\Windows Settings\Security Settings\Registry
4. Right-click Registry, and then click Add Key.
5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:Software\Microsoft\Windows NT\CurrentVersion\Svchost
6. Click OK.
7. In the dialog box that opens, click to clear the Full Control check box for both Administratorsand System.
8. Click OK.
9. In the Add Object dialog box, click Replace existing permissions on all subkeys withinheritable permissions.
10. Click OK.
2. Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the
Conficker malware from creating the Scheduled Tasks that can reinfect the system.
To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following folder:Computer Configuration\Windows Settings\Security Settings\File System
2. Right-click File System, and then click Add File.
3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure thatTasks is highlighted and listed in the Folder dialog box.
4. Click OK.
5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write
for both Administrators and System.6. Click OK.
7. In the Add Object dialog box, click Replace existing permissions on all subkeys with
inheritable permissions.8. Click OK.
3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by
using the AutoPlay features that are built into Windows.
Note Depending on the version of Windows that you are using, there are different updates that you
must have installed to correctly disable the Autorun functionality:* To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must
have security update 950582 (http://support.microsoft.com/kb/950582) installed (described in security
bulletin MS08-038).
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
3/40
* To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows
2000, you must have security update 950582 (http://support.microsoft.com/kb/950582) , update 967715
(http://support.microsoft.com/kb/967715) , or update 953252 (http://support.microsoft.com/kb/953252)
installed.To set AutoPlay (Autorun) features to disabled, follow these steps:
1. In the same GPO that you created earlier, move to one of the following folders:
* For a Windows Server 2003 domain, move to the following folder:Computer Configuration\Administrative Templates\System
* For a Windows 2008 domain, move to the following folder:
Computer Configuration\Administrative Templates\Windows Components\AutoplayPolicies
2. Open the Turn off Autoplay policy.
3. In the Turn off Autoplay dialog box, click Enabled.
4. In the drop-down menu, click All drives.5. Click OK.
4. Close the Group Policy Management Console.
5. Link the newly created GPO to the location that you want it to apply to.6. Allow for enough time for Group Policy settings to update to all computers. Generally, Group
Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to
replicate to the rest of the systems. A couple hours should be enough. However, more time may berequired, depending on the environment.
7. After the Group Policy settings have propagated, clean the systems of malware.
To do this, follow these steps:
1. Run full antivirus scans on all computers.
2. If your antivirus software does not detect Conficker, you can use the Malicious Software
Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Webpage:
http://www.microsoft.com/security/malwareremove/default.mspx
(http://www.microsoft.com/security/malwareremove/default.mspx)Note You may have to follow some manual steps to clean up all the effects of the malware. We
recommend that you review the steps that are listed in the "Manual steps to remove the
Win32/Conficker virus" section of this article to clean up all the effects of the malware.
Back to the top
Recovery
Run the Malicious Software Removal tool The Microsoft Malware Protection Center...Run the Malicious Software Removal tool
The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT).
This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it canhelp remove the Win32/Conficker malware family.
Note The MSRT does not prevent reinfection because it is not a real-time antivirus program.
You can download the MSRT from either of the following Microsoft Web sites:
http://www.update.microsoft.com (http://www.update.microsoft.com)http://support.microsoft.com/kb/890830 (http://support.microsoft.com/kb/890830)
For more information about specific deployment details for the MSRT, click the following article
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
4/40
number to view the article in the Microsoft Knowledge Base:
891716 (http://support.microsoft.com/kb/891716/ ) Deployment of the Microsoft Windows Malicious
Software Removal Tool in an enterprise environment
Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as acomponent of the Microsoft Desktop Optimization Pack 6.0 or through Customer Service and Support.
To obtain the Microsoft Desktop Optimization Pack, visit the following Microsoft Web site:
http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx(http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx)
If Windows Live OneCare or Microsoft Forefront Client Security is running on the system, these
programs also block the threat before it is installed.Back to the top
Manual steps to remove the Win32/Conficker virus
Notes
* These manual steps are not required any longer and should only be used if you have no antivirus
software to remove the Conficker virus.
* Depending on the Win32/Conficker variant that the computer is infected with, some of these valuesreferred to in this section may not have been changed by the virus.
The following detailed steps can help you manually remove Conficker from a system:
1. Log on to the system by using a local account.
Important Do not log on to the system by using a Domain account, if it is possible. Especially, do
not log on by using a Domain Admin account. The malware impersonates the logged on user and
accesses network resources by using the logged on user credentials. This behavior allows for the
malware to spread.2. Stop the Server service. This removes the Admin shares from the system so that the malware
cannot spread by using this method.
Note The Server service should only be disabled temporarily while you clean up the malware in
your environment. This is especially true on production servers because this step will affect network
resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.
To stop the Server service, use the Services Microsoft Management Console (MMC). To do this,
follow these steps:
1. Depending on your system, do the following:* In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start
Search box, and then click services.msc in the Programs list.
* In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, typeservices.msc, and then click OK.
2. Double-click Server.
3. Click Stop.4. Select Disabled in the Startup type box.
5. Click Apply.
3. Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.4. Stop the Task Scheduler service.
* To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003,
use the Services Microsoft Management Console (MMC) or the SC.exe utility.
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
5/40
To stop the Task Scheduler service in Windows Vista or in Windows Server 2008,
follow these steps.
Rt rwImportant This section, method, or task contains steps that tell you how to modify the registry.
However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure
that you follow these steps carefully. For added protection, back up the registry before you modify it.
Then, you can restore the registry if a problem occurs. For more information about how to back up andrestore the registry, click the following article number to view the article in the Microsoft Knowledge
Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in
Windows1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs
list.
2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
3. In the details pane, right-click the Start DWORD entry, and then click Modify.
4. In the Value data box, type 4, and then click OK.
5. Exit Registry Editor, and then restart the computer.
Note The Task Scheduler service should only be disabled temporarily while you clean upthe malware in your environment. This is especially true on Windows Vista and Windows Server 2008
because this step will affect various built-in Scheduled Tasks. As soon as the environment is cleaned
up, re-enable the Server service.
5. Download and manually install security update 958644 (MS08-067). For more information, visitthe following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
(http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)Note This site may be blocked because of the malware infection. In this scenario, you must
download the update from an uninfected computer, and then transfer the update file to the infectedsystem. We recommend that you burn the update to a CD because the burned CD is not writable.Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory
drive may be the only way to copy the update to the infected system. If you use a removable drive, be
aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the
removable drive, make sure that you change the drive to read-only mode, if the option is available foryour device. If read-only mode is available, it is typically enabled by using a physical switch on the
device. Then, after you copy the update file to the infected computer, check the removable drive to see
whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
6/40
like Autorun.bad so that it cannot run when the removable drive is connected to a computer.
6. Reset any Local Admin and Domain Admin passwords to use a new strong password. For more
information, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc875814.aspx (http://technet.microsoft.com/en-us/library/cc875814.aspx)
7. In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost8. In the details pane, right-click the netsvcs entry, and then click Modify.
9. If the computer is infected with the Win32/Conficker virus, a random service name will be listed.
Note With Win32/Conficker.B, the service name was random letters and was at the bottom of the
list. With later variants, the service name may be anywhere in the list and may seem to be more
legitimate. If the random service name is not at the bottom, compare your system with the "Services
table" in this procedure to determine which service name may have been added by Win32/Conficker.To verify, compare the list in the "Services table" with a similar system that is known not to be infected.
Note the name of the malware service. You will need this information later in this procedure.10. Delete the line that contains the reference to the malware service. Make sure that you leave a
blank line feed under the last legitimate entry that is listed, and then click OK.
Notes about the Services table
* All the entries in the Services table are valid entries, except for the items that are highlighted in
bold.* The items that are highlighted in bold are examples of what the Win32/Conficker virus may
add to the netsvcs value in the SVCHOST registry key.
* This may not be a complete list of services, depending on what is installed on the system.
* The Services table is from a default installation of Windows.* The entry that the Win32/Conficker virus adds to the list is an obfuscation technique. The
highlighted, malicious entry that is supposed to resemble the first letter is a lowercase "L." However, it
is actually an uppercase "I." Because of the font that is used by the operating system, the uppercase "I"seems to be a lowercase "L."
Services table
Collapse this tableExpand this tableWindows Server 2008 Windows Vista Windows Server 2003 Windows XP
Windows 2000
AeLookupSvc AeLookupSvcAppMgmt 6to4 EventSystem
wercplsupport wercplsupport AudioSrv AppMgmt IasThemes Themes Browser AudioSrv Iprip
CertPropSvc CertPropSvc CryptSvc Browser Irmon
SCPolicySvc SCPolicySvc DMServer CryptSvc Netmanlanmanserver lanmanserver EventSystem DMServer Nwsapagent
gpsvc gpsvc HidServ DHCP Rasauto
IKEEXT IKEEXT Ias ERSvc IaslogonAudioSrv AudioSrv Iprip EventSystem Rasman
FastUserSwitchingCompatibilityFastUserSwitchingCompatibility Irmon
FastUserSwitchingCompatibility RemoteaccessIas Ias LanmanServerHidServ SENS
Irmon Irmon LanmanWorkstation Ias Sharedaccess
NlaNla Messenger Iprip Ntmssvc
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
7/40
Ntmssvc Ntmssvc Netman Irmon wzcsvc
NWCWorkstation NWCWorkstation Nla LanmanServer
Nwsapagent Nwsapagent Ntmssvc LanmanWorkstation
Rasauto Rasauto NWCWorkstation Messenger Rasman Rasman Nwsapagent Netman
Iaslogon Iaslogon Iaslogon Iaslogon
Remoteaccess Remoteaccess Rasauto NlaSENS SENS Rasman Ntmssvc
Sharedaccess Sharedaccess Remoteaccess NWCWorkstation
RtrwRt
rwRt
rwRt
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
8/40
rwRt
rwRt
rwRt
rwRt
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
9/40
rwRt rw
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
10/40
SRService SRService Sacsvr Nwsapagent
Tapisrv Tapisrv Schedule Rasauto
Wmi Wmi Seclogon RasmanWmdmPmSp WmdmPmSp SENS Remoteaccess
TermService TermService Sharedaccess Schedule
wuauserv wuauserv Themes Seclogon
BITS BITS TrkWks SENS
ShellHWDetection ShellHWDetection TrkSvr SharedaccessLogonHours LogonHours W32Time SRService
PCAudit PCAudit WZCSVC Tapisrvhelpsvc helpsvc Wmi Themes
uploadmgruploadmgr WmdmPmSp TrkWks
iphlpsvc iphlpsvc winmgmt W32Timeseclogon seclogon wuauserv WZCSVC
AppInfo AppInfo BITS Wmi
msiscsi msiscsiShellHWDetection WmdmPmSp
MMCSS MMCSS uploadmgr winmgmtbrowser ProfSvc WmdmPmSN TermService
winmgmt EapHost xmlprov wuauservSessionEnv winmgmt AeLookupSvc BITSProfSvc schedule helpsvc ShellHWDetection
EapHost SessionEnv helpsvc
hkmsvc browser xmlprovschedule hkmsvc wscsvc
AppMgmt AppMgmt WmdmPmSN
sacsvr hkmsvc11. In a previous procedure, you noted the name of the malware service. In our example, the name of
the malware entry was "Iaslogon." Using this information, follow these steps:
1. In Registry Editor, locate and then click the following registry subkey, where BadServiceName
is the name of the malware service:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iaslogon2. Right-click the subkey in the navigation pane for the malware service name, and then click
Permissions.
3. In the Permissions Entry for SvcHost dialog box, click Advanced.4. In the Advanced Security Settings dialog box, click to select both of the following check boxes:
Inherit from parent the permission entries that apply to child objects. Include these with entries
explicitly defined here.
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
11/40
Replace permission entries on all child objects with entries shown here that apply to child
objects.
12. Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLLthat loads as "ServiceDll." To do this, follow these steps:
1. Double-click the ServiceDll entry.
2. Note the path of the referenced DLL. You will need this information later in this procedure. Forexample, the path of the referenced DLL may resemble the following:
%SystemRoot%\System32\doieuln.dll
Rename the reference to resemble the following:
%SystemRoot%\System32\doieuln.old
3. Click OK.
13. Remove the malware service entry from the Run subkey in the registry.1. In Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run2. In both subkeys, locate any entry that begins with "rundll32.exe" and also references the
malware DLL that loads as "ServiceDll" that you identified in step 12b. Delete the entry.
3. Exit Registry Editor, and then restart the computer.14. Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then
verify that it is a valid Autorun.inf file. The following is an example of a typical valid Autorun.inf file.
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
A valid Autorun.inf is typically 1 to 2 kilobytes (KB).15. Delete any Autorun.inf files that do not seem to be valid.
16. Restart the computer.
17. Make hidden files visible. To do this, type the following command at a command prompt:
reg.exe addHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWA
LL /v CheckedValue /t REG_DWORD /d 0x1 /f
18. Set Show hidden files and folders so that you can see the file. To do this, follow these steps:1. In step 12b, you noted the path of the referenced .dll file for the malware. For example, you
noted a path that resembles the following:
%systemroot%\System32\doieuln.dllIn Windows Explorer, open the %systemroot%\System32 directory or the directory that
contains the malware.
2. Click Tools, and then click Folder Options.3. Click the View tab.
4. Select the Show hidden files and folders check box.
5. Click OK.
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
12/40
19. Select the .dll file.
20. Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps:
1. Right-click the .dll file, and then click Properties.
2. Click the Security tab.3. Click Everyone, and then click to select the Full Control check box in the Allow column.
4. Click OK.
21. Delete the referenced .dll file for the malware. For example, delete the %systemroot%\System32\doieuln.dll file.
22. Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using
the Services Microsoft Management Console (MMC).23. Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps:
1. Depending on your system, install one of the following updates:
* If you are running Windows 2000, Windows XP, or Windows Server 2003, install update
967715. For more information, click the following article number to view the article in the MicrosoftKnowledge Base:
967715 (http://support.microsoft.com/kb/967715/ ) How to disable the Autorun
functionality in Windows* If you are running Windows Vista or Windows Server 2008, install security update 950582.
For more information, click the following article number to view the article in the Microsoft
Knowledge Base:950582 (http://support.microsoft.com/kb/950582/ ) MS08-038: Vulnerability in Windows
Explorer could allow remote code execution
Note Update 967715 and security update 950582 are not related to this malware issue. Theseupdates must be installed to enable the registry function in step 23b.
2. Type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f24. If the system is running Windows Defender, re-enable the Windows Defender autostart location.
To do this, type the following command at the command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender"/t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
25. For Windows Vista and later operating systems, the malware changes the global setting for TCP
Receive Window Autotuning to disabled. To change this setting back, type the following command at acommand prompt:
netsh interface tcp set global autotuning=normal
If, after you complete this procedure, the computer seems to be reinfected, either of the followingconditions may be true:
* One of the autostart locations was not removed. For example, either the AT job was not removed oran Autorun.inf file was not removed.
* The security update for MS08-067 was installed incorrectly.
This malware may change other settings that are not addressed in this article. Please visit the following
Microsoft Malware Protection Center Web page for the latest details about Win32/Conficker:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker(http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker)
Back to the top
Verify that the system is clean
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
13/40
Verify that the following services are started:
* Automatic Updates (wuauserv)
* Background Intelligent Transfer Service (BITS)* Windows Defender (windefend) (if applicable)
* Windows Error Reporting Service
To do this, type the following commands at the command prompt. Press ENTER after each command:
Sc.exe query wuauservSc.exe query bits
Sc.exe query windefend
Sc.exe query ersvc
After each command runs, you will receive a message that resembles the following:
SERVICE_NAME: wuauserv
TYPE : 20 WIN32_SHARE_PROCESSSTATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0In this example, "STATE : 4 RUNNING" indicates that the service is running.
To verify the status of the SvcHost registry subkey, follow these steps:
1. In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
2. In the details pane, double-click netsvcs, and then review the service names that are listed. Scrolldown to the bottom of the list. If the computer is reinfected with Conficker, a random service name will
be listed. For example, in this procedure, the name of the malware service is "Iaslogon."
If these steps do not resolve the issue, contact your antivirus software vendor. For more information
about this issue, click the following article number to view the article in the Microsoft Knowledge
Base:
49500 (http://support.microsoft.com/kb/49500/ ) List of antivirus software vendorsIf you do not have an antivirus software vendor, or your antivirus software vendor cannot help, contact
Microsoft Consumer Support Services for more help.
Back to the topAfter the environment is fully cleaned
After the environment is fully cleaned, follow these steps:
1. Re-enable the Server service and the Task Scheduler service.
2. Restore the default permissions on the SVCHOST registry key and the Tasks folder. This should be
reverted to the default settings by using Group Policy settings. If a policy is only removed, the defaultpermissions may not be changed back. See the table of default permissions in the "Mitigation steps"
section for more information.
3. Update the computer by installing any missing security updates. To do this, use Windows Update,
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
14/40
Microsoft Windows Server Update Services (WSUS) server, Systems Management Server (SMS),
System Center Configuration Manager (SCCM), or your third-party update management product. If
you use SMS or SCCM, you must first re-enable the Server service. Otherwise, SMS or SCCM may be
unable to update the system.
Back to the top
Identifying infected systemsIf you have problems identifying systems that are infected with Conficker, the...
If you have problems identifying systems that are infected with Conficker, the details provided in the
following TechNet blog may help:http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx
(http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx)
Back to the top
Default permissions tableThe following table shows default permissions for each operating system. These...
The following table shows default permissions for each operating system. These permissions are in
place before you apply the changes that we recommend in this article. These permissions may differfrom the permissions that are set in your environment. Therefore, you must note your settings before
you make any changes. You must do this so that you can restore your settings after you clean the
system.Collapse this tableExpand this table
Operating system Windows Server 2008 Windows Vista Windows
Server 2003 Windows XP Windows 2000SettingSvchost Registry Tasks Folder Svchost Registry Tasks Folder Svchost Registry
Tasks Folder Svchost Registry Tasks Folder Svchost Registry Tasks Folder
Account
Administrators (Local Group) Full Control Full Control Full Control Full Control FullControl Full Control Full Control Full Control Full Control Full Control
SystemFull Control Full Control Full Control Full Control Full Control Full Control Full
Control Full Control Full Control Full ControlPower Users (Local Group) not applicable not applicable not applicable not applicable Read not
applicable Read not applicable Read not applicable
Users (Local Group) Special not applicable Specialnot applicable Read not applicable Readnot applicable Read not applicable
Apply to: This key and subkeys Apply to: This key and subkeys
Query Value Query ValueEnumerate Subkeys Enumerate Subkeys
Notify Notify
Read Control Read ControlAuthenticated Users not applicable Specialnot applicable Specialnot applicable not applicable not
applicable not applicable not applicable not applicable
Apply to: This folder only Apply to: This folder only
Traverse Folder Traverse Folder
List Folder List Folder Read Attributes Read Attributes
Read Extended Attributes Read Extended Attributes
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
15/40
Create Files Create Files
Read Permissions Read Permissions
Backup Operators (Local Group) not applicable not applicable not applicable not applicable not
applicable Specialnot applicable SpecialApply to: This folder only Apply to: This folder
only
Traverse Folder Traverse Folder List Folder List Folder
Read Attributes Read Attributes
Read Extended Attributes Read ExtendedAttributes
Create Files Create Files
Read Permissions Read Permissions
Everyone not applicable not applicable not applicable not applicable not applicable not applicablenot applicable not applicable not applicable Special
Apply to: This folder,
subfolder and filesTraverse Folder
List Folder
Read AttributesRead Extended Attributes
Create Files
Create FoldersWrite Attributes
Write Extended Attributes
Read Permissions
Back to the topAPPLIES TO
* Windows Server 2008 Datacenter without Hyper-V* Windows Server 2008 Enterprise without Hyper-V
* Windows Server 2008 for Itanium-Based Systems
* Windows Server 2008 Standard without Hyper-V* Windows Server 2008 Datacenter
* Windows Server 2008 Enterprise
* Windows Server 2008 Standard
* Windows Web Server 2008* Windows Vista Service Pack 1, when used with:
o Windows Vista Business
o Windows Vista Enterpriseo Windows Vista Home Basic
o Windows Vista Home Premium
o Windows Vista Startero Windows Vista Ultimate
o Windows Vista Enterprise 64-bit Edition
o Windows Vista Home Basic 64-bit Editiono Windows Vista Home Premium 64-bit Edition
o Windows Vista Ultimate 64-bit Edition
o Windows Vista Business 64-bit Edition
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
16/40
* Microsoft Windows Server 2003 Service Pack 1, when used with:
o Microsoft Windows Server 2003, Standard Edition (32-bit x86)
o Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
o Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)o Microsoft Windows Server 2003, Web Edition
o Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
o Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems* Microsoft Windows Server 2003, Datacenter x64 Edition
* Microsoft Windows Server 2003, Enterprise x64 Edition
* Microsoft Windows Server 2003, Standard x64 Edition* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 Service Pack 2, when used with:
o Microsoft Windows Server 2003, Standard Edition (32-bit x86)
o Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)o Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
o Microsoft Windows Server 2003, Web Edition
o Microsoft Windows Server 2003, Datacenter x64 Editiono Microsoft Windows Server 2003, Enterprise x64 Edition
o Microsoft Windows Server 2003, Standard x64 Edition
o Microsoft Windows XP Professional x64 Editiono Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
o Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
* Microsoft Windows XP Service Pack 2, when used with:o Microsoft Windows XP Home Edition
o Microsoft Windows XP Professional
* Microsoft Windows XP Service Pack 3, when used with:
o Microsoft Windows XP Home Editiono Microsoft Windows XP Professional
* Microsoft Windows 2000 Service Pack 4, when used with:
o Microsoft Windows 2000 Advanced Servero Microsoft Windows 2000 Datacenter Server
o Microsoft Windows 2000 Professional Edition
o Microsoft Windows 2000 Server
Back to the top
Keywords:
kbregistry kbexpertiseinter kbsecurity kbsecvulnerability kbsurveynew KB962007Back to the top
Other ResourcesOther Support Sites
* Solution Centers* Microsoft Fix It Solutions
* Windows Help and How-to
* Office Online* Microsoft Partner Network
Community
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
17/40
* Answers Forums
* Technet Forums
* Microsoft Developer Network (MSDN)
Get Help Now
Contact a Support Professional by Email, Online, or PhoneArticle Translations
Search related topics
* Http support.Microsoft.com kb 962007
* Conficker virus symptoms
* Conficker.worm removal tool* Removing conficker
* Conficker patch Microsoft download
Related Support Centers
* Windows Server 2008* Windows Server
* Windows Vista
* Windows Vista Enterprise* Windows Server 2003
* Windows XP Professional x64 Edition
* Windows XP
* Windows XP Service Pack 2* Windows 2000
Page Tools
* Print this page
* E-mail this page
Get Help Now
Contact a support professional by E-mail, Online, or PhoneMicrosoft Support
Feedback | Services Agreement
Contact Us | Terms of Use | Trademarks | Privacy Statement
Microsoft Microsoft
2010 Microsoft
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
18/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
19/40
Robert
adhi
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
20/40
kusuma
putra
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
21/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
22/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
23/40
Robert
adhi
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
24/40
kusuma
putra
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
25/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
26/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
27/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
28/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
29/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
30/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
31/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
32/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
33/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
34/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
35/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
36/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
37/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
38/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
39/40
-
8/9/2019 Conficker.D is Installed by Previous Variants of Win32
40/40