Tuesday, March 10, 2009

Conficker/Downadup removal - safe mode gives bluescreen

This is the most useless way to make money that I know of: Fighting viruses. As if there aren't enogh real technical challenges to play with.

A customer was hard hit by the Conficker/Downadup virus the other day. The B variant didn't take too long to figure out how to remove, but a couple of the affected computers would not boot to safe mode, yielding the bluescreen of death (BSOD). No virus removal software I tried was able to detect the junk process causing this, so I had to research a little on my own.

Update 14.3.09:
BitDefender now has a removal tool that they claim will also remove the .C variant. I haven't tested it though.

The Downadup.B and .C variants are well described at Symantec's and others' websites, so I won't repeat that. I'll just give a practical short work list that worked for me and left my customer's computers virus free:

Determining if you are infected by Downadup.B:
There's a couple of simple steps to give you a good indication of whether you are affected by the Downadup.B. One or more of these bullets indicate that you are infected:
  • You are not able to browse to sites like www.symantec.com or www.microsoft.com. Other non-antivirus websites, like your local newspaper webpage works fine.
  • You have several entries in Scheduled Tasks - like "at", possibly with a number behind
  • The obvious one: Check your antivirus software logs to see if the virus has been identified
Quick cleaning of Downadup and securing from reinfection
Here's how I cleaned each computer and managed to keep it from being reinfected by other infected computers on the network (although they should all have been physically disconnected from the network):
  • Physically disconnect each computer on your LAN
  • Boot to safe mode without network support (if you get a bluescreen - see below)
  • Change passwords of all local users that have "guessable" passwords - see list on Symantecs virus description page. Gotcha: The virus also guesses existing usernames on the system, even backwards or repeated two times, as possible passwords.
  • Make sure Windows Firewall (or equivalent) is on
  • Make sure you do not allow autorun from USB sticks etc. (see below)
  • Run the removal tool from Symantec (or other tool of your choice)
If you want to remove manually, I found this description from Microsoft to be one of the most helpful if you want to manually remove or check that all traces are gone.

With all the above steps done, you are ready to connect to the LAN again and try to reboot into normal mode.

Booting to safe mode results in bluescreen
This means that things get a little tougher. Symantec did not have a removal tool for the Downadup.C virus when I needed it (Update: BitDefender has - see note above). In addition, the Downadup.B removal tool was killed the same instance you try to start it. Same goes for many antivirus packages etc..

To solve this, you need to find a clean donor computer with the same OS and probably as identical hardware as possible. Export the following regkey to a memory stick (that you have verified is clean before plugging it into your clean donor computer) or similar and run it on the infected computer:

HKLM\System\CurrentControlSet\Control\SafeBoot

Then quickly reboot into safe mode (F8 upon reboot), in the hope that the virus will not redelete the key before you manage to take down your system for reboot.

Removing the Downadup.C
You have now managed to boot into safe mode (F8 during boot). The virus is still there, you will need to look for it manually, unless there's a removal tool by the time you read this. On my two infected computers where I got bluescreen upon safe mode boot, I opened Windows Explorer in c:\windows\system32, sorted the files on date and looked for the most recent DLLs or EXE files I could find. There was only one DLL file created within the last week, and in both cases it was named a random set of characters. Going to properties, I verified that there was no Microsoft version information - hence, this file would most probably not be to my benefit. Just to make sure, I renamed the file extension to VIRUSSUSPECT and rebooted. The virus was gone, and I had the proof I needed to delete the file I first renamed.

Beware that the Downadup.C also weakens security that you do NOT get restored only by removing the virus DLL. Again, review the Symantec (or other) descriptions of the virus and take action accordingly.

Good luck, and good hunting!