Conficker - downadup issues

Networking/Security Forums -> Viruses // Worms

Author: OCKBA PostPosted: Sun Mar 29, 2009 11:42 am    Post subject: Conficker - downadup issues
    ----
Hello everybody,

I got the conficker worm inside my organization.
symantic worm definition is :
W32.Downadup.a and we got got infected also with .B

what is the issue that the server pop an alert messge informing us
that the worm detected, until now we coludn't trace the source.

Is it possible that the worm propagate when the user turn on his PC.
Question

Is there any trace tools.

I did download the removal tool from both symantec and windows.
I also downloaded the patch form windows.

what is the cure???

Author: ebrolaLocation: Jacksonville, Fl PostPosted: Tue Mar 31, 2009 3:19 pm    Post subject:
    ----
I have dealt with infections like this before. It was like we were chasing our tails with the thing. BUT...there is a cure and it is a simple but a time consuming one.

First...download the tools and burn several copies to cds. This will allow you to clean several machines at once and the virus cant spread itself to the cd. This of course should be burned on a clean machine that is not on that site.

Second...unjack every machine/server in the network. if you dont do this you will be chasing your tail...and I assure you only dogs enjoy that.

Third...clean every machine and server with every tool you can find for it and then have the local AV run a full system scan on the local machine. This will ensure every machine is clean as you go.

Forth...when all is clean (we did it twice just to make sure) then jack the the network back together. At this point we ran another clean sweep on every machine just to be sure.

The one we were cleaning was a virus that had come in via an email that the users claimed they didnt open (yea...right) and would get cleaned on the local machine but would have already emailed itself to the entire company address book on boot up.

I hope this helps and good luck!!

Author: malwaresupport PostPosted: Wed Apr 01, 2009 6:01 pm    Post subject: Well engineered
    ----
Yes it is always possible, but chances are not looking good for anyone being able to trace this threat. This worm is well engineered to not be traced.

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Apr 02, 2009 6:13 pm    Post subject: Re: Conficker - downadup issues
    ----
OCKBA wrote:

Is there any trace tools.


A honeypot inside of a DMZ would be useful as you could monitor for connection and activity trends. Once infected run procmon, ethereal etc.

Author: Godsp3edLocation: Universe PostPosted: Sat Apr 25, 2009 5:46 am    Post subject:
    ----
follow the instructions in the 2nd post from the link below..

http://www.security-forums.com/viewtopic.php?t=56117&sid=61ea36628319847460f0e309050a2c57



Networking/Security Forums -> Viruses // Worms


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group