Most of the IT admins are getting ready for the Conficker worms which are supposed to wake up on 4/1/2009. According to a new research done by Tillmann Werner and Felix Leder, it’s easy to detect systems infected by the worm. The feature has been incorporated into nmap 4.85 BETA5. Here is the thread for the announcement.
The free tool can be downloaded from the download page.
It’s available for multiple platforms. Once you have it installed, use this example to scan your network.
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
Substitute [targetnetworks] with your network. Check this manual page if you need more information about using it. Here is a sample output for a non-infected computer.
Host 192.168.1.247 appears to be up ... good. Interesting ports on 192.168.1.247: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: | smb-check-vulns: | MS08-067: NOT RUN | Conficker: Likely CLEAN |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)