+ Post New Thread
Page 4 of 9 FirstFirst 12345678 ... LastLast
Results 46 to 60 of 121
Windows Thread, Annoying Virus (confick-E) in Technical; Some of the difficulties lie in existing AV products not being able to detect it. Update definitions but more important ...
  1. #46

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,875
    Thank Post
    574
    Thanked 998 Times in 770 Posts
    Blog Entries
    15
    Rep Power
    461
    Some of the difficulties lie in existing AV products not being able to detect it. Update definitions but more important program updates for all the big ones, Sophos included, haven't been rolled out until the last couple of weeks. However the removal tools (I think I've got just about everyones!) are invaluable - I've got a pair of CDRs with them all on due to the amount of infections I've had to deal with.
    Another difficulty is the sub-infections - conficker itself as we know isn't a major problem to detect and remove, but some of the infections that have started to come down with and variants of Conficker itself are appearing all over the place. One that springs to mind in this area is "zlob" - one of many fake AV program providers.

  2. #47

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    217
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14

    Conficker

    We've had this infection for a couple of week and now that it is half term I see it as an opportunity to eradicate it properly.

    Up to now; we have deployed the patch to all servers, pcs and laptops; disabled autorun in portable devices.

    To actually remove the worm from infected systems we have setup a shutdown script which runs f-secure's f-downadup.exe to scan for the worm; it returns an error level of 1 it has detected the worm and in this case runs f-downadup.exe again but with --disinfect. All infections are logged centrally.

    We are going to keep this going and if it doesn't work we may shutdown the network for the afternoon.

    One potential niggle is I suspect that if a PC is infected and an admin user logs on the worm inherits admin right; thus giving it full rights to infect all PCs and servers, irrespective of the patch.

    I agree that this episode exposes just how insecure some networks can be. The real problem is that all networks are inherently insecure. A centralised thin client network may help and the TCM module (with associated software) may also (future).

    Bruce.

  3. #48
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,650
    Thank Post
    164
    Thanked 217 Times in 200 Posts
    Rep Power
    66
    Reading about this fills me with paranoia as well as teaching machines are much harder to patch as they're being used all the time so update time windows are few and far between. Looking into WOL in early morning maybe but for the moment I'm forcing the patch out room by room.

    I've been checking the registry in HKLM\Software\Microsoft\Windows NT\Currentversion\svchost for odd-named entries from what I read in the Microsoft KB article - is that a reliable indicator of infection?

  4. #49

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    I have my updates for teachers computers set to download them automatically, and notify them of the updates. If they dont choose to apply the updates, the option once they shutdown defaults to "apply updates and shutdown" which they know to choose.

    I keep an eye on WSUS to keep on top of any machines that arenet up at 99-100%.

  5. #50

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    217
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    As pointed out WSUS should provide the update automatically; if you don't have WSUS setup than you can deploy the patch automatically (.exe downloadable from MS) in the startup script (may require a command line option to do it silently). However, the update will only apply to WinXP SP2 (and above) PCs. Thanks Bruce.

  6. #51
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,650
    Thank Post
    164
    Thanked 217 Times in 200 Posts
    Rep Power
    66
    Yeah I've been sending it round teaching PCs the last few days - not sure but think it requires a reboot so want to try and get it done manually before people come back.

    So far haven't found anything odd in the registry keys and all the services are still working on the PCs I've looked at so fingers crossed...

  7. #52
    Sophos-Support-5's Avatar
    Join Date
    Jun 2007
    Location
    Abingdon, UK
    Posts
    48
    Thank Post
    0
    Thanked 7 Times in 6 Posts
    Rep Power
    16
    Quote Originally Posted by gshaw View Post
    I've been checking the registry in HKLM\Software\Microsoft\Windows NT\Currentversion\svchost for odd-named entries from what I read in the Microsoft KB article - is that a reliable indicator of infection?
    Things you can (perhaps) visually spot...

    Extract from the "more information" tab on Mal/Conficker-A Malicious behavior (WORM_DOWNAD.AD, W32/Conficker.worm, Worm:Win32/Conficker.gen!A, Worm:W32/Downadup, Net-Worm.Win32.Kido) - Sophos security analysis

    (1) <System>\<random filename> (e.g. C:\windows\system32\zdtnx.g)

    (2) The registry entries added by Mal/Confiker-A are under:

    HKLM\SYSTEM\CurrentControlSet\Services\<random service name>

    (3) The random service name will also be added to the list of services referenced by:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs

    (4) When spreading to removable media Mal/Conficker-A attempts to create the following hidden files:

    <Removable Drive Root>\autorun.inf
    <Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll (where x represents a random digit)

    Please read the above page in full for more information and also Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker

    Regards,
    Sophos Technical Support

  8. #53
    Crispin's Avatar
    Join Date
    Dec 2008
    Location
    Essex
    Posts
    361
    Thank Post
    76
    Thanked 28 Times in 25 Posts
    Rep Power
    20
    After reading this thread my number one priority at the moment is to talk my crazy network manager out of getting rid of WSUS altogether and basically 'winging' it.

    Currently:

    Mcafee not updated since Jan 9th
    WSUS not active since way before christmas.

    Im terrified.

  9. #54

    Join Date
    Feb 2009
    Posts
    39
    Thank Post
    12
    Thanked 13 Times in 6 Posts
    Rep Power
    15
    I had the Conficker virus. No need to shut down your network. Set your anti virus (I use sophos) to on write access scanning, restart computer then do full scan. This should now pick up the virus and allow you to remove it. Push out the patch via GP if you don't have WSUS. If you use ISA, search for any host accessing the sites Conficker tries to access. This will give you a list of infected machines. Clean these up using the method above and then clear the virus alerts. Wait to see if you get any more alerts (may take a few hours). If you do, check ISA logs again. You may get machines warning you they have been infected then the file has been deleted. Conficker can spread using the ADMIN$ share, so this warning is basically telling you a machine on your domain has tried to infect it, not that it has the virus.

    Hope this helps. Took me 3 days to clear, but not that much work. It certainly helps you find the workstations that aren't running anti-virus properly. As a side note, if you have sophos, upgrade to the enterprise console 3.1. Its much better at automatically installing sophos according to linked active directory OUs.

    If you need any advice give us a shout

  10. #55
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    ARRRRHHH

    Sophos has been picking this up all morning, can't tell if Sophos has been cleaning it up or not?

  11. #56
    Sophos-Support-5's Avatar
    Join Date
    Jun 2007
    Location
    Abingdon, UK
    Posts
    48
    Thank Post
    0
    Thanked 7 Times in 6 Posts
    Rep Power
    16
    Quote Originally Posted by mullet_man View Post
    ARRRRHHH

    Sophos has been picking this up all morning, can't tell if Sophos has been cleaning it up or not?
    Go to a machine. Unplug the network cable. Run a FULL scan (scan all files checked). When the scan has finished cleanup items in quarantine. Run another FULL scan. If it comes back clean we're cleaning it up.

    If you put the computer back on the network and it gets "infected" then there is an unpatched or unprotected machine on the network - or someone plugged in a USB pen into the computer.

    Regards,
    Sophos
    Last edited by Sophos-Support-5; 3rd March 2009 at 07:35 PM.

  12. #57
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    Cheers will give that ago tomorrow, just gonna be pretty difficult getting round all the machines it seems to have infected! I would say around nearly 100

  13. #58
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    ARRH again!!

    Got in this morning to most admin accounts locked out

  14. #59
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    @Sophos Support

    I have been installing the patch, and running the Malicous Software remover from Microsoft and was as Sophos, this has picked up the virus and got rid of it.

    Do you know if it still leaves the schedule tasks? And these can be deleted manually?

    Also who would I need to contact I have got a few machines that won't let me install Sophos, various errors including Registry error etc.

  15. #60

    SYSMAN_MK's Avatar
    Join Date
    Sep 2005
    Posts
    4,005
    Thank Post
    489
    Thanked 1,340 Times in 728 Posts
    Rep Power
    427
    Sophos have a nice removal script that will remove all traces of sophos from a client. Fixes most issues with installation.

SHARE:
+ Post New Thread
Page 4 of 9 FirstFirst 12345678 ... LastLast

Similar Threads

  1. [Video] Most Annoying Runner Ever
    By mattx in forum Jokes/Interweb Things
    Replies: 1
    Last Post: 13th January 2009, 01:51 PM
  2. Top 10 annoying technologies
    By FN-GM in forum IT News
    Replies: 14
    Last Post: 8th December 2008, 11:05 AM
  3. Annoying thing!
    By chrbb in forum Windows Vista
    Replies: 3
    Last Post: 2nd September 2008, 02:10 PM
  4. Annoying Error Message
    By firefox_2006 in forum Windows
    Replies: 7
    Last Post: 7th April 2007, 08:14 PM
  5. Bloddy annoying
    By GrumbleDook in forum Jokes/Interweb Things
    Replies: 28
    Last Post: 12th July 2006, 01:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •