How I got rid of the Conficker Worm on my network

Those who have read my other articles will know that I am an IT technician of many years.
I normally write articles if I fancy reviewing an item or making a comment on something that is going on in the world but today I would like to share an experience with you all that I had recently battling the conficker worm on my network. The reason for this is because this was unlike any other experience I've ever had trying to get rid of a virus or worm from a network, it was a real nightmare. There are lots and lots of websites around telling people how to tackle this worm but not many blogs or articles that tell of successes or things to look out for etc and that's really what I want to share with you today. Hopefully there will be other network technicians who can relate to what I went through and I'd welcome any comments and feedback.

Ok, so we were all warned that the conficker was coming. It was going to be BIG, no HUGE. Of course, networks should always be ready for infections but the truth is....most are not. This is a fact and the majority of people who work in IT will tell you so. Unless you are lucky enough to be in charge of a medium sized network on a full time basis, which I and most of my colleagues aren't. Most medium sized companies these days opt for a managed service and the support of an IT company with a visiting service. Anyways....all around the world network technicians made sure they were fully patched up and all antivirus was up to date. We made all the appropriate preparations and waited with baited breath to see what would happen. What would the payload be? What would the symptoms be? There were rumours of these things....just rumours....rumours of an unstoppable beast programmed by satan himself. When the first signs of the conficker worm hit, they were thankfully not on my network but on a colleagues network so I had a chance to see what would happen before it hit my own domain. Now it is worth mentioning that both my colleague and I were using Sophos antivirus on our domains which had been updated throughout only recently and you know what? Sophos caught it. Yup, that's right. A small message popped up on the client machines 'win32/conficker detected and quarantined'. Swweeeet! What was all the fuss about! It seemed that the conficker worm was no more a ferocious beast than a fluffy bunny is king of the jungle. I breathed a sigh of relief and went about my business.

For nearly a whole year nothing happened on my domains. It is worth mentioning at this point that I look after networks in schools. Fourteen of them. So far I escaped unscathed. In fact if I'm honest I forgot about the conficker virus. One day one of the managers said to me, 'the network is running slow and has been for a while'. As I have already said, I am part of a visiting service - I don't use these networks on a daily basis. Most of the time the first time a tech will hear of an issue like this is when a user tell them so. The first thing did was look at the led's in the switches. Sure enough they were lit up like Christmas trees. The lights were going ten to the dozen. This was a sure sign that there was a lot of activity going on in the network. I singled out one of the PC's and ran a sophos check on it. Nothing. I started doing a bit of digging and my users started telling me other things too. Their usb sticks did not autorun anymore. Their antivirus was not updating. I later learnt that conficker stops them doing this, it had mutated and this was why it had not been picked up. So sophos did not detect my intrusion...hmmmm. I lost a bit of faith in antivirus programs that day I can tell you. I used a program called malwarebytes...and it detected....conficker. So I ran malwarebytes on all of the machines, with success. But no sooner had the conficker worm been removed it appeared again. This thing was becoming a nightmare. USB sticks were not working properly, the network was still slow, Microsoft updates were not working, antivirus would not update and then things got really bad when users could not log on anymore. Conficker had spread to my server and locked users out. I use a program called Ghost to re-clone all of the computers. It didn't work. The worm came back.

So what did I do? Well my experiences from here on in were extensive and intensive. I learnt so much from this worm about trying to secure a computer and a network that I decided to put my findings up on the web for all to see. I will write more on this in my next article but for now you can visit my website to find out how to finally rid yourself of this nasty malicious coding. I have a website called < href="http://www.confickerremoval.net">http://www.confickerremoval.net this is about as a definitive guide that I can put together. So until my part 2 of this article...see you at the website.