TDL Rootkit Detector
Detect presence of the TDL rootkit in your system
- December 30, 2008
- March 24, 2009 12:05:35 PM
- Also Known As:
- Worm:W32/Downadup.AL [F-Secure], Win32/Conficker.B [Computer Associates], W32/Confick-D [Sophos], WORM_DOWNAD.AD [Trend], Net-Worm.Win32.Kido.ih [Kaspersky], Conficker.D [Panda Software]
- Systems Affected:
- Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
- CVE References:
Microsoft Windows Server 2003 Datacenter Edition SP1,Microsoft Windows Server 2003 SP1/SP2
Microsoft Security Update for Windows Server 2003 (KB958644)
you are on a network or have a full-time connection to the Internet,
such as a DSL or cable modem, disconnect the computer from the network
and Internet. Disable or password-protect file sharing, or set the
shared files to Read Only, before reconnecting the computers to the
network or to the Internet. Because this worm spreads by using shared
folders on networked computers, to ensure that the worm does not
reinfect the computer after it has been removed, Symantec suggests
sharing with Read Only access or by using password protection.
For instructions on how to do this, refer to your Windows documentation, or the document: How to configure shared Windows folders for maximum network protection.
For further information on the vulnerability and patches to resolve it please refer to the following document:
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
- If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.
- This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.