Conficker

[SimpleSi]

I'm not winning here
Had Conficker in a school once in past - eliminated it by removing everything from network and then cleaning each machine before rejoining to network, setting them all to not autorun anything and making sure all pendrive/cameras/anything with a memory card in in were certified before being allowed to be used again.

Did this at Easter at a school that got infected - though I was OK but then people noticed Sophos reporting that COnficker was being quarantined

So, started again, got head to issue beheading notices to anyone putting anything into a USB slot - finished last Friday - on Tues Conficker being reported in quarantine on domain clients (not on one teachers machine that I've removed from the domain but still on network and using server as file/dhcp/print server etc.

1. Where's the little f.... gettting back in from??? (And how can I stop it keep on doing it!)

2. Is it an actual issue if all machines all fully patched and Sophos is quaratineing it (e.g can we live with it or will it cripple the network?)



Si

[Michael]

What about the server(s)? And the odds are, someone's home computer is probably unprotected and out-of-date.

[DavidYoung]

When we had a similar situation at one of our sites (Conficker was spreading to PCs but Sophos was quarantining it), we found that it was spreading using the Task Scheduler, and using the fact that you can remotely-manage scheduled tasks from remote PCs to spread itself. Firstly, I suggest you use Windows Firewall GPOs to block any remote-management/administration ports, maybe disable the Task Scheduler if you don't need it.

You'll probably find that there is a PC-zero, which is likely un-patched (we found that our one was several years out of date with Windows update), maybe Sophos isn't running, likely the user is running with admin rights. We found the PC and updated Windows and Sophos and then manually cleaned the virus from Safe Mode.

[jamesfed]

I thought Microsoft released a patch that prevented Conflicker getting on things?
Conficker Worm: Help Protect Windows from Conficker

[JonWPS]

There's a Microsoft tech article which talks you through shutting this bandit down. Helped me when I was hit with this within weeks of starting in this job. Restrict access to svchost across the site, and run MSRT at startup on all clients for a while. Check Scheduled Tasks on all servers. I eventually traced our outbreak back to a couple of vanilla machines in our canteen.

There is also a patch which was pre-SP3 I think.

[themightymrp]

We also had to block task scheduler and disable file and print sharing on client machines (via group policy). Plus install the patch mentioned above. You can use the features of Sophos Enterprise Console to block off USB drives if I remember correctly

[X-13]

I thought Microsoft released a patch that prevented Conflicker getting on things?
Conficker Worm: Help Protect Windows from Conficker

That only works if you apply the patch...

[Zenden]

I have dealt with this on a wide scale.

Make sure all Pcs and servers have the patch KB948644 (havent double checked that but pretty sure it is right, i had to install it enough times!). If all of them do then it is an inactive infection being pulled either from autorun or task scheduler and wont be causing any damage. Make sure to disable autorun through group policy.

Biggest thing to know is that if the PCs are patched then the infection is null and will not spread further, however if any PCs dont have the patch then it will spread using the admin$ share by keylogging passwords of anyone who logs in.

[McChikenhanger]

Oh dear. You are going to need a lot of help and long hours to completely kill it off.

It would be a good idea if you talk to Sophos and get them to help you. We just started using KAspersky on our network when we had a big outbreak. There's a small tool that we got from kaspersly specifically designed to target Conficker and kill any open processes that were infected. We ended up unplugging EVERYTHING (and I do mean EVERYTHING) from the network. Make sure that all servers are clean and patched, there's like three different patches that you need for each machine flavour, before replugging them to the network. Make sure that you haven't got anything connecting wirelessly to the network too, and disinfect every workstation prior to plugging it back to the network.

It could be a good time to make new images for the workstations with all updates and latest AV releases just to make sure that Conficker it's truly dead. It took us about 2 weeks solid to completely kill it off.

Good luck.

[ZeroHour]

Doesnt sophos tell you the user account that triggered the quarantine?
Also what settings do you use for sophos?
On machines you have had issues with I would reset windows update store by stopping automatic updates service and renaming the directory c:\windows\softwaredistribution then starting the service back up.
Also which variant are you seeing?

[zag]

Should be really easy to stop.

Just make the root of all your shared drives read only.

It cant spread then.

[ZeroHour]

One other thing, I would consider using sophos with on-write checking to prevent it making it onto file servers etc, then do scheduled full scans at nights to prevent things sneaking on.

[CAM]

Sounds like you missed one. I've been down this road before and have a blog post about it:
How to remove Conficker (AKA Downadup and Kido) - Blogs - EduGeek.net

Little beggar never came back. We've since had warnings from infected USB drives pop up but the virus has never latched on again. Shut everything down, check every PC, check every PC again, reconnect things slowly starting with your servers then bringing up one lab at a time. One that is done, pray it never comes back.

We ended up with a USB ban after the incident and even after bringing things up, we were still spotting warnings from Sophos about infected sticks on staff laptops and running straight up to class to confiscate both items for cleaning. Even though notices went round!

[SYNACK]

I thought this was a solved problem, is Windows not imune to it now?

[Mcshammer_dj]

We cleared our network, by using the sophos specific tool and ensuring the correct patch has been applied to the machines.

Start with the server and then do all the workstations. We still get warnings when infected datasticks are inserted but the virus cannot jump between the machines. We don't clean the sticks as we wanted to avoid wiping data that could be vital (even if it is infected). Regular offenders are warned that there is a problem and given some guidance on how to check their own home systems.