Annoying Virus (confick-E)

[GrahamWibbly]

Hi,

I appear to have picked up the W32/Confick-E virus. Not entirely sure where from as the servers were all bang up to date with Windows Updates and Sophos Anti-Virus.
The Sophos website says to install the MS08-067 hotfix from Microsoft (which when I've checked was actually installed on my machines last year.) It then says to use Sophos to clean the virus.
Now I've tried doing this, I do a full Sophos scan, it picks the virus up, I perform a clean and it says clean successful. At this point a few services (such as the server service) are turned off (presumably to allow a proper clean) so I have to reboot. Upon reboot I run another scan and the virus is still there.
Is it possible that some of my desktop machines have the virus and are transmitting it back to the server when the server reboots and reconnects to the network?
If this is the case it looks like I may have to go round every PC and ensure they're all up to date with Updates and do a virus scan on them all.
Has anyone any experiences with this virus or have any suggestions?

Many thanks.

[Geoff]

Yes. Along with the exploit referenced in MS08-067 Confick also spreads via UNC network shares, mapped drives and USB storage devices. I suggest you shut down your network and bring up machines one by one while isolated to perform a full cleanup. You also have to round up everyones USB storage devices (pen drives, music players, phones, etc) and inspect and clean those.

[AyatollahPies]

Further to everything Geoff has said, I'd recommend you download a tool specifically crated to remove this Worm such as this one by F-Secure.

ftp://ftp.f-secure.com/anti-virus/to...f-downadup.zip

As many on here point out, Sophos can be a pain in the neck when it comes to actually removing anything it finds.

Also turn off system restore on every workstation before scanning.

Do you get paid for overtime?

[GrahamWibbly]

Hi,

Thanks for the prompt reply. Is it possible to get rid of this without shutting the network down (this isn't really an option at this moment in time)?

[Geoff]

No, because as soon as you clean up one machine it'll be reinfected via the network.

[AyatollahPies]

Hi,

Thanks for the prompt reply. Is it possible to get rid of this without shutting the network down (this isn't really an option at this moment in time)?

If you want to rid your network of it, no.

If the head kicks up a fuss, direct him towards the news stories about how many machines worldwide are affected, emphasizing the Sheffield teaching hospitals.

Good luck.

[Geoff]

Also, if you can, try and identify the original source of the infection. As you say you have kept up with patching on your servers, it's likely that a USB flash drive is the cause. You may wish to review your proceedures and policies to prevent similar infections in future.

[GrahamWibbly]

I get that. I was thinking more along the lines of doing it room by room, disconnecting each as I go. Then reconnecting them all at the end.

What's pissing me off is where it's come from and why Sophos didn't pick it up.

So my plan should basically be:

1) Disconnect the servers from the network.
2) Go round every PC and run the removal tool from above and also run Windows Update.

[trekmad]

Most virus removal tools cannot get rid of the virus from some machines. We have Kaspersky on our network which picked up hacking attempts from machines which our AV and the removal tool showed as being clean. I came across these removal instructions online which has now erradicated the virus. You need to ensure that the random name in step 3 is definately the virus. I would recommend googling it before you delete it.

1. Install the Microsoft Patch for MS08-067.

2. Open Regedit and go to the following

HKLM>Software>Microsoft>Windows NT>CurrentVersion>svchost

3. In right hand pane double click on “netsvcs” and scroll down to the bottom line. There will be a random name such as rbydwcit. Make a note of this random name and delete the line of text.

4. Now go to

HKLM>System>controlset001>services>”virus name”(from step 3)>Parameters.

5. In right hand pane make a note of the dll which contains the virus.

Now delete the “virus name” key from the left hand pane.

6. Reboot to safe mode.

7. Delete the dll from step 5 found in c:\windows\system32\

[GrahamWibbly]

Thanks for all the replies, I think Sophos does actually remove it, it's just as soon as it reconnects to the network it picks it back up again.

I did try what Trekmad said above but when I got to step 5 there wasn't actually a DLL named there.

Looks like it could be a late night for me.

[kmount]

Depending upon your network ....

Disconnect all uplinks to your servers so they are on their own.

Isolate the servers and run a scan across them, any detection of infection and my advice would be to flatten it and reinstall restoring files from a known good back up before infection.

Reimage if you can each room in turn (ensuring they don't boot into windows before booting from the imaging device (usb/cdrom/floppy etc). - Once this is done, the room can be live.

If you can't reimage for whatever reason then yes, isolate, scan, check, reconnect.

I can't see which area you're in but it might be worth calling in some help from neighbouring schools, many hands make light work and all.

Good luck.

[Azhibberd]

We had a similar problem when i was relatively new to the education environment, and well the usb sticks was the hardest part to stop, so we simply stoped auto-run on everything and also put in software restrictions to stop the virus being run, also good idea for future is to always make sure you have decent permissions set on each share area like within are environment we have a common area which only admins can write directly into the path which stops spreading from other accounts.

[synaesthesia]

Malwarebytes Anti Malware is a great little app that will entirely remove an infection from a machine, but if it's networked, as above you'll need to repeat the process on all machines. Install it, run it, job done.

Now, depending on the level of infection and the specific variation of that worm, you might not be able to run the installer let alone the program itself. Thankfully it's a bit "thick". Rename the mbam.exe installer file to "fluffy.exe"

Install.

Once installed, go to the installation folder (c:\program files\malwarebytes etc) and rename the EXE file to fluffy.exe. Update or make a new shortcut to that. It'll now run and you'll be able to murder the infection safely. You can of course choose any name you want, "fluffy" is just my preferred alternative name. Sometimes if it's a bad infection i like the name "moist.exe".

No reason.

[GrahamWibbly]

Again thanks to all who replied. I couldn't do this tonight as there was something very important on that needed to use the network. I'm going to tackle it tomorrow.

The servers are detecting the virus (even though they were right up to date with Windows updates and anti virus). When I removed it with Sophos, the server service was stopped, I ran another virus scan straight away and nothing was detected, I rebooted in safe mode and ran another scan and nothing was detected again but as soon as I rebooted normally and was connected to the network it reappeared.
There's no way I'm flattening them, so need to remove.
Going to turn everything off tomorrow, go round each workstation and run the hotfix and a virus scan. Once I've done that I'll do the same on the servers and then re-connect everything.
I'll turn autorun off so USB sticks don't spread it and then will insist any sticks get brought to myself for a scan before use.

Is this Malwarebytes Anti Malware free? I've never heard of it, but I am willing to try anything that will make life easier.

Thanks again for everyones help.

[Azhibberd]

Also another suggestion, Turn off the switches, just because there is always someone who either doesn't get the message about all the pcs need to be off etc because of the virus, that or someone always turns them back on thinking off i thought it just this one wouldn't make a difference. I'm sure we have all seen it before.

And ye Malwarebytes Anti Malware is free really nice program