Stop Win32/Conficker from spreading by using Group Policy settings Notes

• Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
• This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
• You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (SCCM), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
• For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article.

Back to the top

Create a Group Policy object

Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.

To do this, follow these steps:

1. Set the policy to remove write permissions to the following registry subkey:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
   This prevents the randomly named malware service from being created in the netsvcs registry value.
   
   To do this, follow these steps:
   1. Open the Group Policy Management Console (GPMC).
   2. Create a new GPO. Give it any name that you want.
   3. Open the new GPO, and then move to the following folder:
      Computer Configuration\Windows Settings\Security Settings\Registry
   4. Right-click Registry, and then click Add Key.
   5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
      Software\Microsoft\Windows NT\CurrentVersion\Svchost
   6. Click OK.
   7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
   8. Click OK.
   9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   10. Click OK.
2. Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.
   
   To do this, follow these steps:
   1. In the same GPO that you created earlier, move to the following folder:
      Computer Configuration\Windows Settings\Security Settings\File System
   2. Right-click File System, and then click Add File.
   3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
   4. Click OK.
   5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
   6. Click OK.
   7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   8. Click OK.
3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.
   
   Note Depending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:
   • To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582 (http://support.microsoft.com/kb/950582) installed (described in security bulletin MS08-038).
   • To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582 (http://support.microsoft.com/kb/950582) , update 967715 (http://support.microsoft.com/kb/967715) , or update 953252 (http://support.microsoft.com/kb/953252) installed.
   To set AutoPlay (Autorun) features to disabled, follow these steps:
   1. In the same GPO that you created earlier, move to one of the following folders:
      • For a Windows Server 2003 domain, move to the following folder:
        Computer Configuration\Administrative Templates\System
      • For a Windows 2008 domain, move to the following folder:
        Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
   2. Open the Turn off Autoplay policy.
   3. In the Turn off Autoplay dialog box, click Enabled.
   4. In the drop-down menu, click All drives.
   5. Click OK.
4. Close the Group Policy Management Console.
5. Link the newly created GPO to the location that you want it to apply to.
6. Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
7. After the Group Policy settings have propagated, clean the systems of malware.
   
   To do this, follow these steps:
   1. Run full antivirus scans on all computers.
   2. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page:
      http://www.microsoft.com/security/malwareremove/default.mspx (http://www.microsoft.com/security/malwareremove/default.mspx)
      Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.