Strange scheduled tasks on Windows Server 2003

malware windows-server-2003

A few days ago, I noticed that our Windows Server 2003 system has strange scheduled tasks. I do not know where they came from or who set them up. I deleted them and they came up again today. They have names such as "At1","At2", "At3" and the status says that they are running.

When I open their properties, the run command looks like rundll32.exe zfypspqu.u,ygxjgq.

What it could be? Does my server have some virus? I did a scan with nod32 and it didn't report anything. I do not have anything unusual set up on this server - it's only running SQLServer 2005 with ReportServer. Two other servers with similar configuration do not have these strange scheduled tasks.


That's a Conficker infection.

Basic steps to remove it:

  • Run the latest release of Microsoft's Malicous Software Removal Tool.
  • Install the KB958644 patch.

If you have multiple systems, make sure you fix them all.

The full Microsoft guide for protecting yourself from Conficker is here.

Good luck, I've had to deal with a Conficker infection at a smallish client, about 30 servers spread throughout 12 sites, it was not fun.


Try to scan, disinfect, apply patch for all computers in your network at the same time if possible, had bad experience with it (B version, our network has around 300 computers in 3 sites)

http://www.confickerworkinggroup.org

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ENT/Enterprise#toc10

I update batch file to apply for GPO (got it somewhere on Internet)

@echo off

REM   ########################################
REM   Version 6 - 10:19pm Pacific Jan 4th, 2009
REM   Created by Ckemper and Shainw
REM   For disabling infection points and potentially removing Conficker.B malware
REM   http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B

REM   #####################################

REM   #####################################
REM
REM   Modify <domain.com> to your domain name in the script portion below.
REM   Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\<domain.com>\scriptsfolder (aka, Netlogon share).
REM   
REM   Please drop the following tools\files in the Netlogon share for this to work
REM
REM   Getver.exe - attached with this batch file.
REM   SC.EXE - attached with this batch file (can get from a WS2003 or Windows XP system, not native to Windows 2000)
REM   REG.exe - attached with this batch file (can get from WS2003 or Windows XP system, not native to Windows 2000)
REM   windows-kb890830-v2.6.exe - x86 version of MSRT, available from Microsoft Security Support Engineer
REM   windows-kb890830-x64-v2.6.exe - x64 version of MSRT, available from Microsoft Security Support Engineer
REM   sleep.exe - for use with the MSRT tool, attached with batch file
REM   Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except
REM   the Itanium update as this script does not support Itanium.  Place all 3 updates in the Netlogon directory.
REM   Security update MS08-038 for Windows Vista and Windows Server 2008 - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
REM   This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to
REM   autorun, same as the one listed above in KB953252.
REM   
REM   Place all above in the netlogon directory and edit the <domain.com> values in the script below.
REM
REM   Create a Startup Script policy and reference this batch file.  This needs to be a Startup Script and not a Logon script, so that the 
REM   script runs under the machine account.
REM   Link the GPO with the Startup Script to the OU and Groups where you want it to apply.
REM
REM   We do not recommend you use this on DC's or critical servers, those should be cleaned manually so that the services
REM   disabled below do not need to be left disabled for an extended period of time.
REM
REM   Also note that you can set both the Server service (lanmanserver) and Task Scheduler server (schedule) to disabled via group policy
REM   If that is done, then those items can be remarked out below 
REM
REM   ###########################################

REM
REM
REM   Methods of spread we will be disabling -
REM
REM
REM   We will disable the Server service and Task Scheduler service.
REM
REM   Why disable the Server service?  This is due to Weak Passwords which the malware attempts to exploit.
REM   The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a 
REM   complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question
REM   mark or exclamation point.
REM
REM   Why disable the Task Scheduler service?  This is because the malware creates several AT jobs that run every hour to reinfect the system.
REM
REM   MS08-067 security update.  This security update needs to be applied ASAP via your normal patch management process.
REM   http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
REM
REM   Why install MS08-067?  This is the main attack vector of the malware.
REM
REM   Autorun - To block the autorun feature, we must apply an and set a registry value.
REM
REM   Why disable Autorun?  This is because the malware drops a binary file called Autorun.inf on all removable drives.
REM

REM
REM   For environments that use Windows Update to deploy updates.  This section will install MS08-067.
REM   You must place the updates that was downloaded from the link above in the Netlogon share and modify <domain.com>
REM   to your domain.  Also, you must remove the REM**** from in front of the lines, note there is one at the bottom also.  Note that the
REM   Windows Vista and WS2008 file is the same for both - Windows6.0-KB958644-x86.msu.
REM

if /i %PROCESSOR_ARCHITECTURE% == IA64 goto :End


REM ****IF not exist %windir%\$NtUninstallKB958644$ goto Check
REM ****IF exist %windir%\$NtUninstallKB958644$ goto Clean

REM ****:Check
REM ****IF not exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Install
REM ****IF exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Clean


REM ****:Clean

REM
REM  Checking if already run successfully
REM

\\<domain.com>\netlogon\sc.exe query wuauserv | find "STOPPED" > nul
if %ErrorLevel% EQU 0 goto INIT
if %ErrorLevel% EQU 1 goto END


:INIT

REM
REM   Stopping and Disabling services
REM   

\\<domain.com>\netlogon\GETVER.EXE > nul
if %ErrorLevel% EQU 50 goto SC_Stop
if %ErrorLevel% EQU 51 goto SC_Stop
if %ErrorLevel% EQU 52 goto SC_Stop
if %ErrorLevel% EQU 60 goto Vista_2008Server_SC_Stop

:SC_Stop
\\<domain.com>\netlogon\sc.exe stop lanmanserver
\\<domain.com>\netlogon\sc.exe stop schedule
\\<domain.com>\netlogon\sc.exe config lanmanserver start= disabled
\\<domain.com>\netlogon\sc.exe config schedule start= disabled

goto MSRT_RUN

:Vista_2008Server_SC_Stop

\\<domain.com>\netlogon\reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

goto MSRT_RUN

:MSRT_RUN

REM
REM   Running MSRT locally
REM

REM
REM   Checking for x86 or x64
REM   Make sure to edit the <servername>\<share> in the lines below so the logs can be copied up to a central server if desired.
REM   Otherwise the copying of the mrt.log can be remarked out.
REM   Notice the copy of the MRT.log up to a central location has <servername>\<share with write perms>.  This is on purpose.
REM   In most cases, opening a share with everyone write permissions on a DC is not recommended, it is suggested to use a
REM   member server or workstation.
REM

if /i %PROCESSOR_ARCHITECTURE% == x86 goto x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto x64

:x86
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\Windows-KB890830-V2.6.exe /q

copy %windir%\debug\mrt.log \\<servername>\<share>\Logs\%computername%_%username%_mrt.log

goto Tasks

:x64
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\windows-kb890830-x64-v2.6.exe /q

copy %windir%\debug\mrt.log \\<servername>\<share>\%computername%_%username%_mrt.log

goto Tasks

REM
REM   Deleting all scheduled tasks, we have to do this due to the potential random naming of the scheduled task job.
REM   Note, even though we are disabling the Task Scheduler service above, these still need to be remove for when the Task Scheduler service is
REM   started up again.  Erase command is available on Windows 2000 and above OS, so we do not need to make available on Netlogon share.
REM

:Tasks

attrib -h %windir%\tasks\*.job
AT /delete /yes
REM old entry -erase %windir%\tasks\*.job /f /q


REM
REM   Checking for and installing Autorun hotfix. Turning off Autorun for all drives, the malware can spread via this mechanism.
REM   Download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
REM   Download the Windows Vista and Windows Server 2003 update - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
REM

IF not exist %windir%\$NtUninstallKB950582$ goto Next
IF exist %windir%\$NtUninstallKB950582$ goto Autorun

:Next
IF not exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto 950582
IF exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto Autorun

:950582

REM
REM   Checking OS version for install of KB950582
REM

\\<domain.com>\netlogon\GETVER.EXE > nul
if %ErrorLevel% EQU 50 goto Win2K_950582
if %ErrorLevel% EQU 51 goto WinXP_950582
if %ErrorLevel% EQU 52 goto Win2003_950582
if %ErrorLevel% EQU 60 goto Vista_2008Server_950582

REM
REM   WIN2k section
REM

:Win2k_950582
\\<domain.com>\netlogon\Windows2000-KB950582-x86-ENU.EXE /quiet /norestart
goto Autorun

REM
REM   WINXP section
REM

:WinXP_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto WinXP_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto WinXP_950582_x64

:WinXP_950582_x86
\\<domain.com>\netlogon\WindowsXP-KB950582-x86-ENU.exe /quiet /norestart
goto Autorun

:WinXP_950582_x64
\\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart
goto Autorun

REM
REM   WIN2003 section
REM

:Win2003_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto Win2003_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Win2003_950582_x64

:Win2003_950582_x86
\\<domain.com>\netlogon\WindowsServer2003-KB950582-x86-ENU.exe /quiet /norestart
goto Autorun

:Win2003_950582_x64
\\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart
goto Autorun

REM
REM   Vista_2008 section
REM

:Vista_2008Server_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto Vista_2008Server_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Vista_2008Server_950582_x64

:Vista_2008Server_950582_x86
wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x86.msu /quiet /norestart
goto Autorun

:Vista_2008Server_950582_x64
wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x64.msu /quiet /norestart
goto Autorun

:Autorun

\\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f


REM
REM   Removing Hidden setting
REM

\\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f


REM
REM   Enabling Automatic Updates, Background Intelligent Transfer and Error Reporting services
REM

\\<domain.com>\netlogon\sc.exe config wuauserv start= auto
\\<domain.com>\netlogon\sc.exe config BITS start= auto
\\<domain.com>\netlogon\sc.exe config ERsvc start= auto

REM
REM   Restarting
REM

Shutdown.exe /r


REM ****:Install

REM ****\\<domain.com>\netlogon\GETVER.EXE > nul
REM ****if %ErrorLevel% EQU 50 goto Win2K
REM ****if %ErrorLevel% EQU 51 goto WinXP
REM ****if %ErrorLevel% EQU 52 goto Win2003
REM ****if %ErrorLevel% EQU 60 goto Vista_2008Server

REM ****:Win2k
REM ****\\<domain.com>\netlogon\Windows2000-KB958644-x86-ENU.EXE /quiet /forcerestart

REM ****:WinXP
REM ****\\<domain.com>\netlogon\WindowsXP-KB958644-x86-ENU.exe /quiet /forcerestart

REM ****:Win2003
REM ****\\<domain.com>\netlogon\WindowsServer2003-KB958644-x86-ENU.exe /quiet /forcerestart

REM ****:Vista_2008Server
REM ****wusa.exe \\<domain.com>\netlogon\Windows6.0-KB958644-x86.msu /quiet

:End
Exit

Related

Smart Array P822 with HBA Mode?
Is it possible to configure Nginx to allow for new domains to be added without me having to add a VirtualHost for each?
How to check if Ubuntu 14.04 Kernel has TPROXY
Account Lockout with pam_faillock in RHEL6
How to create a link outside of the jail, but accessable within the jail?
SSL binding with no hostname, and centralized certificate store?
Samba: Access trouble from Windows
How to express a self-diminishing recursive property. Elegantly
What are these vehicles called in the United States?
A word for someone who intentionally makes vague negative comments and then refuses to explain them
Word for an inaccurate work by an artist, who ineptly misrepresented their subject?
Non-derogatory word for shill?