Reading this thread as made me quite scared....
I have just mailed staff, put up a notice in the staff room, and in the staff bulletin to get all teachers and staff to bring their usb pens/hdd to us for scanning. Lets hope they take note!
We've just been advised by county that their head offices have been affected.
If you need a simple action plan for conficker...
(1) Patch - this is your first and main priority. Patch patch patch.
(2) Make sure your AV is installed, up to date and has working on-access/ real-time scanning - don't assume. Do check that all computers are running some protection.
(3) Strengthen passwords for network shares. Conficker tries a large number of passwords and may guess weaker ones. Make the password long and complex - perhaps a phrase with UPPER and lowercase characters, d1g1t5 and symbols.
(3) Disable file and printer sharing. OR divide your network up. If it's a small network you can pull the network cable and clean the machine. If you do: do NOT put it back on to the network unless you know every other computer connected is clean and will not potentially reinfect the machine.
If you are running Sophos Anti-Virus see our "What to do" section for Conficker: Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker
Sophos Technical Support
For those that do not have SAV installed or are finding cleanup difficult please check out:
Sophos Conficker Cleanup Tool
Last edited by Sophos-Support-5; 6th February 2009 at 10:33 PM.
stariq (7th February 2009)
Been chasing this about for most of today. Can't wait until monday
We had this on our network - the lads I work with and Sophos were absolutley brilliant!! Couldnt have done this without them
In the end I patched and updated all the servers in the school, deleted the 'random name' service using the cmd line and ran sophos.
In the Sophos menu I selected 'delete' (or something similiar) when a virus was found and then started to deploy WSUS to do the remainder.
All the lads kept an eye on it over the few days and the weekend, it killed the network but it was worth it.
Now I only have an handful of PC's playing up but nothing a rebuild wouldnt fix.
The problem is when staff bring in their laptops after long term illness/holidays and the Sophos updates their laptops and scans for any threat. It does grind the laptop right down but I think its worth having that for 10-20 mins rather than the confick appearing again.
Hope this has helped someone
got the virus here, Just shut the servers down till I get in opn monday morning
We're almost clean. Just a few more to do on Monday. Also showed me just how much staff DON'T listen to us.
Worth noting that if you have the option of using a DNS server other than local authority. OpenDNS have added a "catcher" for conficker - meaning if you have an infected machine which tries to call one of it's many homes, OpenDNS will let you know about it.
Nice little article here: OpenDNS rolls out Conficker tracking, blocking ? The Register
I use openDNS at home as it's quicker/more reliable than Be/O2's orrible servers so bonus here Not sure how that translates to school networks but if you register with openDNS you can use it to block all sorts of traffic, it's very handy and very free.
azrael78 (8th February 2009)
I went to the Sophos Open day yesterday. Was rather impressed, and not just with the free Umbrella!
Graham Clueley is rather Dan Ackroyd esq in the flesh, unlike in his pictures.
This thread is filling me with dread!
Sophos caught Conficker on a USB that one of the kids plugged in a couple of weeks ago.
We panic'd when I got the e-mail from the console appear in my mailbox and swiftly downed the machine and run an off-line scan on it. (Came up clean).
I disabled the pupils account and he had to come and see me about it, but just seemed completely oblivious to it. :wall:
Does anyone know if eset nod32 can do the same thing... email me if a virus is found. we find alot of people in the school close the warning and not tell us.
Conficker isn't that bad if you're protected. This virus is causing a certain amount of panic because, in all honesty, it's exposing how poorly protected some networks are. Microsoft released the patch back in October and loads of networks still don't have it installed.
If you're patched on ALL machines and you have up-to-date AV on ALL machines then you won't suffer.
Asked "are you 100% patched?" the usual answer is "yes, certainly, yes, yes, yes. Ah, well probably." If you have no central management of either (1) patch control or (2) minimum AV requirement on every machine allowed to communicate on the network then how can you be sure you're protected?
Answer: Sophos Endpoint Security 8 (which includes SophosNAC) or Sophos NAC Advanced (that doesn't require SAV to be installed):
Endpoint control - How much control do you want?
Our vulnerabilities list shows three vulnerabilities in February, one in January and nine back in December. Hands up who is 100% patched on 100% of their machines and can prove it.
Latest vulnerabilities analysis
Sophos Technical Support
Oops_my_bad (5th March 2009)
There are currently 1 users browsing this thread. (0 members and 1 guests)