What is the best way to find Conficker infected PCs in company networks remotely?
Solution 1:
The latest version of nmap
has the ability to detect all (current) variants of Conficker by detecting the otherwise almost invisible changes that the worm makes to the port 139 and port 445 services on infected machines.
This is (AFAIK) the easiest way to do a network based scan of your whole network without visiting each machine.
Solution 2:
Run Microsoft's Malicious Software Removal tool. It is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
You can download the MSRT from either of the following Microsoft Web sites:
- http://www.update.microsoft.com
- http://support.microsoft.com/kb/890830
Read this Micosoft support article: Virus alert about the Win32/Conficker.B worm
UPDATE:
There is this web page which you could open. It should give a warning if there is a sign of conficker on the machine: http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
I almost forgot to mention this very nice "visual" approach: Conficker Eye Chart (I'm not sure if it will work in the future with modified version of the virus) - I'm not sure if it still works properly (update 06/2009):
If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.
Network Scanner
eEye's Free Conficker Worm Network Scanner:
The Conficker worm utilizes a variety of attack vectors to transmit and receive payloads, including: software vulnerabilities (e.g. MS08-067), portable media devices (e.g. USB thumb drives and hard drives), as well as leveraging endpoint weaknesses (e.g. weak passwords on network-enabled systems). The Conficker worm will also spawn remote access backdoors on the system and attempt to download additional malware to further infect the host.
Download here: http://www.eeye.com/html/downloads/other/ConfickerScanner.html
Look also at this resource ("network scanner"): http://iv.cs.uni-bonn. de/wg/cs/applications/containing-conficker/. Search for "Network Scanner" and, if you're running Windows:
Florian Roth has compiled a Windows version which is available for download from his website [direct link to zip-download].