Hi There
did you found any removal tool for this worm ?
oh bugger. Just found out that the :resolve command failing causes a script to halt in 3.X
Hey Man , is that means it won’t work on 3.x !!?
and what about 2.x
something else , should i make a firewall filter rule to block any connection to these sites ?
i have a deep bad feeling about this mess , MS is crashing down 
harry up man , tomorrow is the date 
sorry , one more thing , this happened after i used this script from wiki
is this this right ?
Thanks Dude its working now the issue was in my Firewall 
mm i think you are using web-proxy service the virus create reverse connection and loop with you local MT proxy . in my case i have external linux box same loop connection are seen in cachelog
Nmap has released a new (beta) release that enables Conficker infections
just by scanning the network.For more information (including commands for Conficker scanning) see:
http://insecure.org/An original tool (before it was added into nmap) is also available:
http://iv.cs.uni-bonn.de/uploads/media/scs.zipAnd further info can be found at these sites:
http://www.honeynet.org/
(> https://www.honeynet.org/node/389> )
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Just received these from a security consultant friend. Combined with the script here this should help us pickup any infected users but requires a computer on the inside (we use an older server with ESXi which allows remote access) which i believe is a good investment for any sites over 500 users.
You don’t have permission to access /nmap-dist/nmap-4.85BETA5-setup.exe on this server.
Just curious… the download server from insecure.org has got this error.
Hello
As omega-00 told, I have a problem with resolve names, it give an error and the script stop working! How can I solve this problem? I look in the other post and there is not solution!
Look this is the problem!
:put [:resolve tleksfchxqb.com]
failure
So when MKT read its, stop working with the script. And the problem is that this is the first in the list!!
Thank
Rafael Lore
Use opendns servers.
clear dns cache.
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=
208.67.220.220 secondary-dns=208.67.222.222
/ip dns cache flush
Thanks very much AUG, problems solved
Rafael Lore
Hi omega-00
I found in logs many domain are not listed in dailyconficker list . after googing i found this url may be this will be help-out you
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I’ve noticed that if a customer is using opendns as their dns server, they get a lot of hits.
I believe these are false hits.
Anybody else run into this?
aug: any hits to opendns aren’t nessicarily conficker hits seeing as open dns doesn’t host a specific conficker warning page, jsut a standard “this site is unsafe/blocked blah blah blah” page that users hit. so you have to remove opendns hits from your list (would be great if :resolve just worked like it’s supposed to thou wouldn’t it :-/ )
pokeman: when you say you’ve found domains that aren’t in the list, do you mean my list is missing some? or my list has ones that website doesnt?
If you’re saying the first, I know this.. conficker c generates 50,000 domains a day .. mikrotik only gives me a 4096 char string I can work with to block a and b (as listed on my script page) - http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking
but thanks for the links, any more info is helpful.
Try remote script execution for example via ssh. And generate mikrotik script code from template 
ssh my-router ':local listip [:resolve "aa.com"]; :if ($listip != "failure" ) do={
/ip firewall address-list add list=daily-conficker address=$listip comment="aa.com"
:log info "$listip"
}
...'
Executing that script every day from remote machine
Ive been running the script, but for some reason it just don’t get out the “while” statement… I trying to figure it out. I just don’t see the final log message saying that modifications are completed. Thanks for the script anyway! 
Ozelo as discussed above the mikrotik :resolve command is broken :-/ and causes the script to crash if it can’t resolve an address sigh
so the fix is to use just opendns servers for the time being.
The following script will stop the addition of duplicate IP’s.
#resolve each new line and add to the address list daily-conficker. updated to list domain as comment
:if ( [:pick $line 0 1] != "\n" ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve "$entry"]
:if ($listip != "failure" ) do={
:if ((/ip firewall address-list find list=daily-conficker address=$listip) = "") do={
/ip firewall address-list add list=daily-conficker address=$listip comment=$entry
:log info "$listip"
} else={:log info "duplicate IP $entry"}
}
}
}
} while ($lineEnd < $contentLen)
}
:log info "Address List Modification Complete"
#cleaning up
/file remove "$month-$day-$year.txt"
You should be able to see from the comments what it replaces, but if not I’ve updated the wiki entry to reflect the new script.
At this part script stops. Last output in log is “duplicate IP fnsqijun.org”
Not work for me!, is I put set allow-remote-requests=yes work, but if it works but makes the blocks that have previously configured, the only way NAT works is redirected from the udp port 53 to the OpenDNS DNS server but that’s how I mark the cache IP - DNS - Cache
but your list stoped updating
why isnt it up o date today or a month back?
can you fix that as it was working well for me
I don’t have the time to maintain the lists and as the newer generations of conficker (generation ‘c’ onwards) have a list of 50,000 new domains a day it becomes near impossible to handle that normally and would require me to completely recode what I’ve done on the script to handle multiple files with domains in them.
As it stands I might look at this again when v4.X re-adds the LUA functions.
Regards,
Andrew Cox
Omega-00