• Home »
  • »
  • Using Nmap to find Conficker Worm Infections

Using Nmap to find Conficker Worm Infections

The Conficker worm was first detected around November of 2008. Although Microsoft has long since released a patch for this vulnerability entitled MS-0687 there are still a astounding amount of computers that are getting infected with Conficker due to the MS-0687 vulnerability.

For those of you who are not very familiar with Nmap it is a port scanner which has become a industry standard in the security community.  Recently Fydor (Creator of Nmap) added some extremely useful functionality to Nmap in the form of a scripting engine. The scripting portion of Nmap is written in the Lua programming language which is a relatively simple language to pick up if you have any programming experience. The way it works is users submit scripts they have written to tackle network problems the face on a daily basis and they are submitted to nmap via svn repository and then once they have been approved they are added to Nmap’s script database. If you are using a version of Nmap more recent then 4.76 then you have the Nmap scripting engine in your release.  If  you are interested in learning more about the scripting features of Nmap you can see the section from the namp book online here.

There is a script which is included in the default release of nmap which makes it very easy to rapidly scan large sub-nets for unpatched computers which still are exploitable using MS-0687 or the Conficker worm. In order to use the script just fire up a terminal in whichever Operating System you are using and enter this command:

Example of using the Nmap Scripting Engine:


  1. Microsoft Windows XP [Version 5.1.2600]
  2. (C) Copyright 1985-2001 Microsoft Corp.
  4. C:\Documents and Settings\r00t>nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns

You can change the target which in this case is to whatever IP address you are scanning or a complete net-mask like or A sample output of this command would look like this:


  1. C:\Documents and Settings\r00t>nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns
  3. Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-22 15:42 Eastern Daylight Time
  5. NSE: Loaded 1 scripts for scanning.
  6. Initiating ARP Ping Scan at 15:42
  7. Scanning [1 port]
  8. Completed ARP Ping Scan at 15:42, 0.19s elapsed (1 total hosts)
  9. Initiating SYN Stealth Scan at 15:42
  10. Scanning [2 ports]
  11. Discovered open port 445/tcp on
  12. Discovered open port 139/tcp on
  13. Completed SYN Stealth Scan at 15:42, 0.02s elapsed (2 total ports)
  14. NSE: Script scanning
  15. NSE: Starting runlevel 2 scan
  16. Initiating NSE at 15:42
  17. Completed NSE at 15:42, 20.13s elapsed
  18. NSE: Script Scanning completed.
  19. Host is up (0.0038s latency).
  20. Interesting ports on
  22. 139/tcp open  netbios-ssn
  23. 445/tcp open  microsoft-ds
  24. MAC Address: 00:1F:D0:81:61:95 (Giga-byte Technology Co.)
  26. Host script results:
  27. |  smb-check-vulns:
  28. | MS08-067: LIKELY VULNERABLE (host stopped responding)
  29. |  Conficker: Likely CLEAN
  30. |_ regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
  32. Read data files from: C:\Program Files\Nmap
  33. Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds
  34. Raw packets sent: 3 (130B) | Rcvd: 3 (130B)

As you can see   my target system is not infected with the Conficker worm however its possible my system is still vulnerable to the MS-0687 bug so this would require urgent attention from the network administrator.  The ‘ –script-args=unsafe=1’ can also be added to the command to add a extra check for Denial of Service but I do not recommend doing  this in any sort of production environment.