Ahaa!! Microsoft seems to be really pissed off by the impact of conficker worm that it has announced an award of $250000 for the arrest of its author. Conficker is the real latest worm that has badly hit millions of users using Microsoft Windows. Well good luck for catching the author but here I will mention some tips which can help in conficker arrest.

1. Admin access. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Also a study also found that eliminating Admin rights would have stopped or mitigated:

• 94 percent of Microsoft Office vulnerabilities reported in 2008
• 89 percent of Internet Explorer vulnerabilities reported in 2008
• 53 percent of Microsoft Windows vulnerabilities reported in 2008.

Remove admin access from all machines. Provide admin privilege as on required basis temporarily. Admin passwords should not be the same for all system. Also do not log into the infected machine using Domain Admin account.

2. Latest patch updates. Patch your system with latest security updates, MS08-67 specifically for this particular worm. But I would advice to apply up-to-date patches at both Operating System and application level.

3. Disable server Service. The worm makes use of network shares to propogate. Disable server service wherever possible temporarily till the worm is completly cleaned from the network. The worm is known to exploit the weakness in server service.

Disabling Server Service on workstations will hardly have any impact unless it is sharing any folders or printers. We  strongly recommend to test it in testing environment before disabling services on production servers. (Thanks Fayaz  for this info)

4. Updated Antivirus. This should actually not be mentioned here as this is one of the basic security checks. If your organization does not even keep your AV signatures/engine updated, then I would say What the f@@k SORRY.

5. MSRT scan. Manually download MSRT on to uninfected PCs and deploy to infected PCs to automatically clean infected systems. The Microsoft Windows Malicious Software Removal Tool helps in cleaning malicious particles from Windows computers.

6. Disable removable drive. Conficker also uses removable drives as a medium to infect other systems. Disable all removable drives like USB,CD ROM etc from all systems. Provide access as on required basis.

7. Autorun and Autoplay. The worm uses the default enabled settings of Autorun and autoplay to propogate through network share and removable media. Do remember that autorun and autoplay are not the  same. Mentioned below are the details to disbale both of them.

Autorun: Simplest way is to edit/add the registry settings as below.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Copy the above to the notepad and save it as .reg file.  Double-click the .reg file to make necessary changes. On a safer side always backup your registry filse before playing around with them. The above method nulls any request for autorun.inf and works on XP Home or Pro, as well as Windows Vista. Credit for this tip goes to Nick Brown. You can also download autorun patch from Microsoft. More details can be found here. This patch also creates a new registry entry HonorAutorunSetting with a value of 0×01.

Also below mentioned registry setting can help disable autorun.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

There you will find (or you might need to create) a subkey NoDriveTypeAutoRun with registry value of FF which disables AutoRun on all kinds of drives.

Autoplay: As per Microsoft page:

Windows Server 2003, Windows XP, and Windows 2000

1. Click Start, click Run, type Gpedit.msc in the Open box, and then click OK.
2. Under Computer Configuration, expand Administrative Templates, and then click System.
3. In the Settings pane, right-click Turn off Autoplay, and then click Properties.Note In Windows 2000, the policy setting is named Disable Autoplay.
4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
5. Click OK to close the Turn off Autoplay Properties dialog box.
6. Restart the computer.

I guess these setting will not only help protect your corporate environment frm Conflicker but also from most of the worms. : )

More info @

http://support.microsoft.com/kb/962007

http://technet.microsoft.com/en-us/security/dd452420.aspx

Similar Posts you might be interested in:

• Tips to protect from Ms08-67 worm
• DOWNAD.AD/Conficker- MS08-67 worms
• Worm:Win32/Conficker.A (MS08-67)