jur1st posted an example script using nmap to detect vulnerable and infected workstations in regards to Conficker.
http://bitninja.org/conflicker_scan.txt
================= **Disclaimer** This is all pretty ugly, but should help those who find themselves in a pinch. This little guide comes with no warranties or guarantees effectiveness. ================= --------------- Pre-requisites --------------- This method has been tested using nmap version 5.85BETA5 on Mac OS X. This should work on any *nix system. Open the terminal and input the following commands: svn co --username=guest --password='' svn://svn.insecure.org/nmap cd nmap ./configure && make sudo make install --------------- Running the Scan --------------- *note that if you already have a version of nmap installed on your machine from another source (Fink for example) you must type ./nmap from within the directory you compiled. For example, I created a folder on my desktop called svn_nmap where I placed the source and compiled. Launching from other locations will open an older version. Type the following from within the nmap directory: nmap -PN -d -p445 --script=smb-check-vulns --script-args=safe=1 xxx.xxx.xxx.zzz-zzz >> conficker_scan.txt This will execute the scan on a range of ports and outputs the results to conficker_scan.txt. You may want to do small ranges so you keep track of how well the scan is proceeding. Feel free to use the same output file as >> designates that output will be appended. -------------- Wading Through the Results -------------- You should now have a number of text files containing the results of your scan. In order to pull out information on the infected machines, run the following: grep -B 7 -A 4 INFECTED conficker_scan.txt >> infected_machines.txt To determine if any machines are vulnerable but not yet infected run the following: grep -B 8 -A 3 VULNERABLE conficker_scan.txt >> vulnerable_machines.txt ------------ Dealing With the Consequences ------------ At this point I leave you to determine the best course of action once you have identified all the vulnerable/infected machines. +++++++++++++++++++++++++++ Author: jur1st - CCCKC Credit to: Fyodor, Dan Kaminsky, Felix Leder, Tillmann Werner, Rich Mogull and the Conficker Working Group for the hard work. All I did was make the info a little more accessible. +++++++++++++++++++++++++++