So, instead of hoarding this information for myself and letting everyone suffer out there I will post as I promised. Currently the Conficker.E variant hooks into the TCP/IP network stack binding the IP address to 0.0.0.0 and dropping it’s own DLL files in the mix. The DLL files are named something similar to 000{random}.tmp and dropped into either System or Temporary folder and exicutes it. It also drops a SYS file under either System or Temporary named 0{random}.sys and is symbolicly named \\.\TcpIp_Perf.
To clean up all of this junk you have two options. One is the manual way and two is the shorter command line way.
To clean up and rebuild the connections that are basically destroyed you’ll need to follow the following (yeah, follow the following) directions:
- Start->Run->type ‘mmc’
- In the windows that opens, select File->Add/Remove Snap-in
- Click Add… at the bottom
- Select Security Configuration and Analysis
- Click Add, click Close, click OK
- Right click Security Configuration and Analysis, select Open Database…
- In the save dialog box, type in a temporary name, such as temp. Click Open.
- Select setup security.inf. Click Open.
- Right click Security Configuration and Analysis, select Configure computer now…
- Select OK.
- A progress box pops up named “Configuring Computer Security.” Allow this to run.
- Once it has ran close out of MMC and reboot.
Or you could just run the following command from the command prompt,
secedit /configure /db %temp%\temp.db /cfg “%systemroot%\security\templates\setup security.inf”
This command will basically reload all of the default security policies on a machine wiping out any damage that conficker has done to the TCP/IP stack.
There’s not really too much info out there on how to clean E, so I figured I’d share the solution for that part of the problem that we were having in our environment. I have a little bit more info but, I’ll have to test it out more to know that it works 100%. I will be posting again in the next day or two.
