Actually its trying to guess the passwords of accounts, and invoke the lockout feature in AD, which is what you would be seeing as the residual.
So MS08-067 is the fix, along with the autoplay/autorun being disabled. Symptoms * Account lockout policies being reset automatically. * Certain Microsoft Windows services <http://en.wikipedia.org/wiki/Windows_service> such as Automatic Updates <http://en.wikipedia.org/wiki/Windows_Update> , Background Intelligent Transfer Service <http://en.wikipedia.org/wiki/Background_Intelligent_Transfer_Service> (BITS), Windows Defender <http://en.wikipedia.org/wiki/Windows_Defender> and Windows Error Reporting <http://en.wikipedia.org/wiki/Windows_Error_Reporting> disabled. * Domain controllers <http://en.wikipedia.org/wiki/Domain_controllers> responding slowly to client requests. * Congestion on local area networks (ARP flood as consequence of network scan). * Web sites related to antivirus software <http://en.wikipedia.org/wiki/Antivirus_software> or the Windows Update <http://en.wikipedia.org/wiki/Windows_Update> service becoming inaccessible.[54] <http://en.wikipedia.org/wiki/Conficker#cite_note-53> * User accounts locked out.[55] <http://en.wikipedia.org/wiki/Conficker#cite_note-54> Per Microsoft KB http://support.microsoft.com/kb/962007 Win32/Conficker has multiple propagation methods. These include the following: * Exploitation of the vulnerability that is patched by security update 958644 (MS08-067) * The use of network shares * The use of AutoPlay functionality Therefore, you must be careful when you clean a network so that the threat is not reintroduced to systems that have previously been cleaned. Note The Win32/Conficker.D variant does not spread to removable drives or shared folders over a network. Win32/Conficker.D is installed by previous variants of Win32/Conficker. And here is Conficker Working Group writeup on all the versions, there is a nice right-up here. http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Grou p_Lessons_Learned_17_June_2010_final.pdf Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: James Rankin [mailto:[email protected]] Sent: Wednesday, February 23, 2011 12:27 PM To: NT System Admin Issues Subject: Conficker Right, for my sins I appear to be stuck in the middle of a Conficker outbreak. I'm not here to advise about security, but five minutes into outbreak and the glaring hole of Autoplay being enabled is clearly how this thing is propagating, and they've been told. Fools - they are in the process of learning the hard way. I avoided Conficker in my last few roles thanks to good security practices, there's one question I can't work out from the Conficker write-ups though. How does this thing get it's list of accounts to attack? We have accounts locking out right left and centre, but they are clearly not just accounts that have previously logged on to the local machine. Does anyone know if this little beastie queries Active Directory in some way? TIA, JRR -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
