Conficker Worm Detection

By Jesse Hamrick • April 1st, 2009

McAfee has posted a Confiker Detection tool that scans IP ranges for infected machines. You can download the tool here.

The two ways to protect your systems are to make sure that you have the Microsoft Hot Fix KB958644 from Microsoft Security Bulletin MS08-067 installed on your systems and to update your virus definitions.

I was asked to write a PowerShell script that would check all machines on the domain for the installation of the hot fix. I am sharing the code with you in hopes that this will assist in your defenses against the Confiker worm.

Take note of the filter section. You can choose to enumerate all computers (workstations and servers) or just servers by commenting out code. By default I have the filter set to enumerate all computers in the domain.
# Uncomment to search all computers
$objSearcher.Filter = (“(objectCategory=$strCategory)”)
# Uncomment to seach only Servers
# $objSearcher.Filter = (“(&(objectCategory=$strCategory)(OperatingSystem=$strOS))”)

Code:

# ======================================================
# Microsoft PowerShell Source File
#
# NAME: HotFixInfo.ps1
#
# AUTHOR: Jesse N. Hamrick
# WEB    : www.PowerShellPro.com
# DATE  : 04/01/2009
#
# COMMENT:     Script file enumerates hot fixes on all computers
#            in AD.
#            Sends the reuslts to an Excel spreadsheet.
#            Script filters for KB958644 (confiker defense)
#             Excel must be installed on the computer running
#             the script.
# ======================================================

# ======================================================
# Fucntion Section
# ======================================================
# Fuction Name ‘Excel’ – Creates a spreadsheet and places
# resutls.
# Uses WMIObject Win32_QuickFixEngineering to gather hotfix
# info.
# ======================================================
Function Excel {

$Excel = New-Object -Com Excel.Application
$Excel.visible = $True
$Excel = $Excel.Workbooks.Add()
$Sheet = $Excel.Worksheets.Item(1)
$Sheet.Cells.Item(1,1) = “Computer Name”
$Sheet.Cells.Item(1,2) = “Q Article”
$Sheet.Cells.Item(1,3) = “Installer”
$Sheet.Cells.Item(1,4) = “Install Date”
$Sheet.Cells.Item(1,5) = “Description”

$intRow = 2
$WorkBook = $Sheet.UsedRange
$WorkBook.Interior.ColorIndex = 19
$WorkBook.Font.ColorIndex = 11
$WorkBook.Font.Bold = $True

foreach ($StrComputer in $colComputers){
$reply = gwmi win32_PingStatus -Filter “Address=’$strComputer’”
if ($reply.statusCode -eq “0″){
$Sheet.Cells.Item($intRow, 1) = $StrComputer
$SheetcolItems = gwmi Win32_quickFixEngineering -Comp $StrComputer
foreach ($objItem in $SheetcolItems){
If ($objItem.HotFixID -eq “KB958644″){
$Sheet.Cells.Item($intRow, 2) = “KB958644 Installed”
$Sheet.Cells.Item($intRow, 3) = $objItem.InstalledBy
$Sheet.Cells.Item($intRow, 4) = $objItem.InstalledOn
$Sheet.Cells.Item($intRow, 5) = $objItem.Description
$intRow = $intRow + 1}
}
}
}
$WorkBook.EntireColumn.AutoFit()
clear

}
# END OF Excel function

# ========================================================
# Function Name ‘ListComputers’ – Enumerates computer objects
# ========================================================
Function ListComputers {
$strCategory = “computer”
$strOS = “Windows*Server*”

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain

# Uncomment to search all computers
# $objSearcher.Filter = (“(objectCategory=$strCategory)”)
# Uncomment to seach only Servers
$objSearcher.Filter = (“(&(objectCategory=$strCategory)(OperatingSystem=$strOS))”)

$colProplist = “name”
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{$objComputer = $objResult.Properties; $objComputer.name}
}
#END OF FUNCTION

# ========================================================
# Script Body
# ========================================================
$erroractionpreference = “SilentlyContinue”

# Call the ListComputers Function and save results to
# an array called $colComputer. Results are sorted alphabetically.
$colComputers = ListComputers | Sort-Object

# Call the Excel Function, which will use the $colComputers
# array to enumerate hotfix info for each computer in the domain.
Excel

#END OF SCRIPT ===============================================

Comments

Nice, thanks a lot. One change I made is moving the $intRow increment outside of the ForEach, so that I get blank rows for all the machines that need to be updated.

By Simon Sheppard on November 27th, 2009 at 4:42 am

Very useful.

Heres a version updated with Culture Info set to enable the script to work with any regional version of MS Excel. (I wish there was a way to do this without delving into psbase syntax, but I don’t think there is?)

Also I stripped out the ”smart quotes” which powershell doesn’t like

http://ss64.com/ps/syntax-hotfix.html

 

Leave a Comment

« | Home | »