4 Replies Latest reply on May 13, 2010 7:53 AM by DiegoLorenzo

    conficker and McShield

      Apologies in advance but quite a long post is likely.

      One of the schools I support recently got hit with several conficker variants. Probably my fault as definitions were not up to date, but that's by-the-by.

      Enterprise 8.7i did a good job of cleaning it out apart from a few machines that had conficker!mem which On-Demand scan showed as No action taken. So I investigated a little further and found conciller from Bonn University, a memory disinfector which scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. conciller found that svchost.exe was infected and cleaned the processes effectively. So far so good.

      However, on one machine it found that Mcshield.exe process was infected with four variants (A,B,C,D). Not knowing how McShield works I assumed these were definitions and could cheerfully be ignored.

      Conciller failed to clean them out - although the On-access scanner did briefly turn itself off, a 'memory could not be read....yada yada' error popped up then the OAS restarted.

      Then, just out of interest, I checked some other PCs and, alarmingly, the McShield.exe was NOT found to be infected. So I checked at another of my schools that has not been 'confickered' and found McShield.exe was clean.

      All of which leads me to thinking that McShield may have been infected with conficker on some machines. Anyone know if this is possible? Or am I just being paranoid after four and a half days of virus eradication? I should add that the antivirus appears to be working fine.




      (I have screen dumps of all of this but I've stupidly saved them to a school hard drive rather than my USB stick. And I'm at home now. D'oh!)

        • 1. Re: conficker and McShield

          Hello Lard,


          It's possible that the systems are still infected by the virus. From my experience with conficker, the best way is to save the data, low level format the hard drive and reinstall or reimage the system. this may be an extreme measure but most of the security experts I've contacted suggested this action if you want to be 100% sure.


          This would be my recommendation.




          • 2. Re: conficker and McShield

            Please see the following McAfee KnowledgeBase article for full instructions: KB60909 - W32/Conficker.worm overview




            • 3. Re: conficker and McShield

              There's a utility called KidoKiller which is very good at disinfection of conficker. Google it.


              Also, if you got infected then your systems aren't patched with windows updates. You should be patching your machines to prevent infection-(you can use WSUS (free) to automatically approve critical and security patches and install them on your machines) patch them first then disinfect them to prevent reinfection. (MS08-067, MS08-068, MS09-001)  We also disabled autorun on the domain (http://support.microsoft.com/kb/967715- requires pre-requisites noted in that doc) which helps quite a bit.


              I still constantly see conficker /autorun worm variants getting cleaned on students and staff pen drives.

              Its still out there!



              • 4. Re: conficker and McShield

                Buddy, in what concerns Conficker cleaning process I think you must have a very straight step-by-step:


                First of all you gotta identify the infected (memory variant) machines and for that I suggest you use the Conficker Detection Tool from McAfee/Foundstone. It´ll scan your networks´s entire range(s) in search of the P2P listening port used by Conficker.


                Second, the infected machines must be patched with the KB958644. If you don´t do this all your efforts will be in vain in about 5 minutes for the machines will be infected after any disinfection no matter what.


                Third, run an VS ODS, reboot the machine and run another ODS. That´s why Conficker sucks, the operational cost is way too high in order to remove it. I notice rebooting is still a more reliable way to eradicate Conficker after all.


                Well, think this is it and wish you luck!