Conficker worm variants A, B and C are dependent on vulnerability in Microsoft server service. Microsoft had released an advisory MS08-067 back in October 2008 to address the above vulnerability. As was expected at that time, number of attacks are spreading, major one being Conficker worm via the conficker malware. Therefore, use a Vulnerability Management Tool to prevent these attacks.
We have plugins for OpenVAS,
900055 – secpod_ms08-067_900055.nasl
900056 – secpod_ms08-067_900056.nasl
To detect the patch condition of MS08-067. The plugin 900055 requires SMB credentials and verifies if the hotfix is installing through Windows Registry and verifies the updated file versions. The plugin 900056 is a Proof of Concept exploit that tries to crash the server service (safe_checks has to be disabling). This can work on anonymous login credentials if the target system allows anonymous login (Windows 2000 by default allows anonymous login). The plugin ms08 067 checks the RPC response status of an un-patched system. Hence, a good Vulnerability Management Solution can resolve these issues and therefore, keep your systems safe and secure.
If your system is vulnerable to Conficker malware, make sure to run the AV scanners to see if you are infecting by Conficker worm. Also, All major AV vendors have signatures. Manual procedure to verify if you are infecting and also to clean is available at,
http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf
I guess I should start running now
this is good work chandra, But how do you handle if this infected svchost??
most AV were not able to handle..
how will you handle svchost infected by conficker?