Annoying Virus (confick-E)

[gshaw]

Sounds kinda how I feel with it at the mo, Sophos caught and "blocked" the autorun.inf on the USB sticks it found and there was 1 machine that got it but luckily the hardware went wrong the same day so it's out of service now

Killed autorun by GPO as well, amazing that not that many people seem to miss it, makes a change!

Really glad I did the paranoia run on the teaching machines during half term and admin machines are WSUS'ed now so fingers crossed... but you can never be 100% sure these days

[Geoff]

You should follow up the 'autorun.inf' detections as it may indicate secondary infections on home pcs and laptops.

[gshaw]

You should follow up the 'autorun.inf' detections as it may indicate secondary infections on home pcs and laptops.

Yup we caught one near enough as it happened yesterday and spoke to the tutor afterwards, he's gonna warn the student about it next class and keep those USB sticks out of the PC, also will recommend cleanup tools.

If anything now I reckon the number of PCs in the botnet must be shrinking rather than growing as the amount of cleanup tools and savvy users is growing?

[Geoff]

The botnet stablised at around 10million infections some time ago.

[gshaw]

Seems like the botnet's looking like it'll be divided up and sold to spammers... and there was me thinking we could have an e-war on our hands

[xeroxxe]

Hey sophos picks up the virus and on any PC or pen drive it will give me the "clean up" option and just go through and delete it. On the server that option is not available, it seems to be in a folder RECYCLE. Anyone know how I go about sophos removing it on the server. Cheers

[mullet_man]

Hey sophos picks up the virus and on any PC or pen drive it will give me the "clean up" option and just go through and delete it. On the server that option is not available, it seems to be in a folder RECYCLE. Anyone know how I go about sophos removing it on the server. Cheers

You just need to do a full scan i think! Although may take a good few hours depending on how much is on their.

Before you do the scan, click clear from list, so Sophos does a full rescan.

Or use the Microsoft Malicous Software remover, this got rid of it effectively for me.

[jc1875]

We've got Sunbelt Software VIPRE and have our DNS set to forward to OpenDNS.
Touch wood *knock knock* we've been relatively clean from viruses for some time. Once in a blue moon a browser hijack gets picked up but it's quickly cleaned out.

[zag]

Apparently its pretty easy to scan an entire network for conficker.

Slashdot | Taming Conficker, the Easy Way

Havn't actually seen an easy to use tool yet though.

[SYNACK]

Apparently its pretty easy to scan an entire network for conficker.

Slashdot | Taming Conficker, the Easy Way

Havn't actually seen an easy to use tool yet though.

After a little delay and a false start or two the instructions for scannig for it using nmap are here: http://www.edugeek.net/forums/securi...free-easy.html

There is also a scan and fix tool in that thread too but only for a single pc.

[synaesthesia]

Started a (late!) March SIMS upgrade at a school today. Flunks out half way through, lost the internet connection. Bugger.
In comes a frantic ICT Co-ordinator. Appears all the curriculum (CC3) computers have lost internet connection, with exception of 3 machines for some reason.
Pants.
CC3 server, no internetty. Bridget Jones pants.
Hour of scanning the network, checking the servers and random machines with MSRT/symantecs scanner, nothing.
Noticed something playing funny buggers with the computers. Trying to load Google - IE was visibly attempting google.edu google.com.tw google.co.uk google.us google.de, every combination possible. Odd, not seen/noticed that before.

Turned out the DNS had decided to just die for absolutely no reason. Sorted that, and phoned the office to keep them updated.

Got a very elated and relieved manager, who informed me that she'd had to send out every member of staff in sight that knew what a computer was to help with several actual and active infections in our area :/ Not good. Just relieved I didn't have to run around like a maniac trying to sort this one out :|

[kmount]

Heh, we survived. Long live Northants

[AyatollahPies]

Heh, we survived. Long live Northants

Anyone else slightly disappointed that Conficker didn't being the world to a standstill yesterday?

Not from a support point of view of course. I was however hoping to read about at least one PFI project that was brought to a halt due to the worm. (Cough Cough EDS/HP Cough Cough)

There is still time I suppose.

[Marci]

Is there a way to set Sophos to delete the relevant files on USB Sticks etc automatically using on-access scan rather than having to manually initiate a full scan from console? We've just switched from Symantec to Sophos, and Symantec handled Conficker much better - if it found one of Conficker's autorun.inf files it deleted it immediately along with the RECYCLER folder created. Sophos just blocks access to them, but leaves them on the drive. Staff go home or elsewhere, and end up taking the virus with them - if wherever they go isn't protected then they just assist in spreading it. I'd rather it just killed it immediately on contact rather than just blocking it til a full scan is run...

[PEO]

Is there a way to set Sophos to delete the relevant files on USB Sticks etc automatically using on-access scan rather than having to manually initiate a full scan from console? We've just switched from Symantec to Sophos, and Symantec handled Conficker much better - if it found one of Conficker's autorun.inf files it deleted it immediately along with the RECYCLER folder created. Sophos just blocks access to them, but leaves them on the drive. Staff go home or elsewhere, and end up taking the virus with them - if wherever they go isn't protected then they just assist in spreading it. I'd rather it just killed it immediately on contact rather than just blocking it til a full scan is run...

I would imagine if your machines are setup identically, then the usb stick would choose the same drive letter. therfore you could custom sophos to check the drive.