Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
1. Symptoms to help you determine if you are infected
· Account lockout policies are being tripped
· Domain Controllers are being hammered
· Network congestion
· Sluggish Client Behavior
2. Steps to help you recover
Patch and clean – apply MS08-067 and review this info on weak passwords
· Weak Password and Lockout policy info
What you should know about strong passwords: https://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc
https://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx
https://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp
https://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx
Password Best Practices:
https://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp
Accounts Passwords and Lockout Policies:
https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
Account Lockout and Management Tools:
· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
https://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx
3. Malware Removal
1. MSRT - The updated MSRT will be live Tuesday 13 January; however you must remember that conficker breaks automatic updates, so we will need to also reference these KBs for manual download information and alternate enterprise deployment steps:
KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
https://support.microsoft.com/kb/890830
KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
https://support.microsoft.com/kb/891716
2. FCS/ OneCare
3. Competitive AV
4. Manual Cleanup - This template supplies the manual cleanup steps and a script. (in a separate post)
See these blog posts for additional resources
https://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B
https://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
https://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx