Memory Disinfector
Memory Disinfector
It is hard to identify files containing Conficker, because the executables are packed and encrypted. When Conficker runs in memory, it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.
The tool itself and the source code can be downloaded here: conficker_mem_killer.exe | 594 K | memscan.zip | 8.4 K |
Nonficker Vaxination Tool
Conficker uses different global and local mutexes to ensure that only the most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.
We have developed our Nonficker Vaccination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.
Removal instructions: * Open your favorite registry editor (e.g. Start->Run...->regedit.exe->ok) * Go to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost * Remove the "aaaaanonficker" from the "netsvcs" key * Remove registry key and all sibling keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aaaaanonficker
Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.
Both tools and source code can be downloaded here: nonficker.zip | 547 K | nonficker_code.zip | 64 K
It is hard to identify files containing Conficker, because the executables are packed and encrypted. When Conficker runs in memory, it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.
The tool itself and the source code can be downloaded here: conficker_mem_killer.exe | 594 K | memscan.zip | 8.4 K |
Nonficker Vaxination Tool
Conficker uses different global and local mutexes to ensure that only the most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.
We have developed our Nonficker Vaccination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.
Removal instructions: * Open your favorite registry editor (e.g. Start->Run...->regedit.exe->ok) * Go to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost * Remove the "aaaaanonficker" from the "netsvcs" key * Remove registry key and all sibling keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aaaaanonficker
Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.
Both tools and source code can be downloaded here: nonficker.zip | 547 K | nonficker_code.zip | 64 K