+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 37
Windows Thread, Conficker in Technical; I'm not winning here Had Conficker in a school once in past - eliminated it by removing everything from network ...
  1. #1

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,822
    Thank Post
    1,476
    Thanked 593 Times in 445 Posts
    Rep Power
    168

    Conficker

    I'm not winning here
    Had Conficker in a school once in past - eliminated it by removing everything from network and then cleaning each machine before rejoining to network, setting them all to not autorun anything and making sure all pendrive/cameras/anything with a memory card in in were certified before being allowed to be used again.

    Did this at Easter at a school that got infected - though I was OK but then people noticed Sophos reporting that COnficker was being quarantined

    So, started again, got head to issue beheading notices to anyone putting anything into a USB slot - finished last Friday - on Tues Conficker being reported in quarantine on domain clients (not on one teachers machine that I've removed from the domain but still on network and using server as file/dhcp/print server etc.

    1. Where's the little f.... gettting back in from??? (And how can I stop it keep on doing it!)

    2. Is it an actual issue if all machines all fully patched and Sophos is quaratineing it (e.g can we live with it or will it cripple the network?)



    Si

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    What about the server(s)? And the odds are, someone's home computer is probably unprotected and out-of-date.

  3. #3

    Join Date
    Nov 2011
    Location
    Kingston Upon Thames
    Posts
    38
    Thank Post
    2
    Thanked 15 Times in 13 Posts
    Rep Power
    11
    When we had a similar situation at one of our sites (Conficker was spreading to PCs but Sophos was quarantining it), we found that it was spreading using the Task Scheduler, and using the fact that you can remotely-manage scheduled tasks from remote PCs to spread itself. Firstly, I suggest you use Windows Firewall GPOs to block any remote-management/administration ports, maybe disable the Task Scheduler if you don't need it.

    You'll probably find that there is a PC-zero, which is likely un-patched (we found that our one was several years out of date with Windows update), maybe Sophos isn't running, likely the user is running with admin rights. We found the PC and updated Windows and Sophos and then manually cleaned the virus from Safe Mode.

  4. Thanks to DavidYoung from:

    SimpleSi (11th May 2012)

  5. #4
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,207
    Thank Post
    137
    Thanked 345 Times in 291 Posts
    Rep Power
    87
    I thought Microsoft released a patch that prevented Conflicker getting on things?
    Conficker Worm: Help Protect Windows from Conficker

  6. #5

    Join Date
    Mar 2011
    Posts
    187
    Thank Post
    4
    Thanked 20 Times in 16 Posts
    Rep Power
    11
    There's a Microsoft tech article which talks you through shutting this bandit down. Helped me when I was hit with this within weeks of starting in this job. Restrict access to svchost across the site, and run MSRT at startup on all clients for a while. Check Scheduled Tasks on all servers. I eventually traced our outbreak back to a couple of vanilla machines in our canteen.

    There is also a patch which was pre-SP3 I think.

  7. Thanks to JonWPS from:

    SimpleSi (11th May 2012)

  8. #6
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,220
    Thank Post
    216
    Thanked 226 Times in 195 Posts
    Rep Power
    73
    We also had to block task scheduler and disable file and print sharing on client machines (via group policy). Plus install the patch mentioned above. You can use the features of Sophos Enterprise Console to block off USB drives if I remember correctly

  9. Thanks to themightymrp from:

    SimpleSi (11th May 2012)

  10. #7

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,175
    Thank Post
    600
    Thanked 1,989 Times in 1,370 Posts
    Blog Entries
    19
    Rep Power
    837
    Quote Originally Posted by jamesfed View Post
    I thought Microsoft released a patch that prevented Conflicker getting on things?
    Conficker Worm: Help Protect Windows from Conficker
    That only works if you apply the patch...

  11. #8
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    154
    Thank Post
    71
    Thanked 32 Times in 25 Posts
    Rep Power
    17
    I have dealt with this on a wide scale.

    Make sure all Pcs and servers have the patch KB948644 (havent double checked that but pretty sure it is right, i had to install it enough times!). If all of them do then it is an inactive infection being pulled either from autorun or task scheduler and wont be causing any damage. Make sure to disable autorun through group policy.

    Biggest thing to know is that if the PCs are patched then the infection is null and will not spread further, however if any PCs dont have the patch then it will spread using the admin$ share by keylogging passwords of anyone who logs in.

  12. Thanks to Zenden from:

    SimpleSi (11th May 2012)

  13. #9

    Join Date
    Sep 2011
    Location
    Northampton
    Posts
    21
    Thank Post
    6
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Oh dear. You are going to need a lot of help and long hours to completely kill it off.

    It would be a good idea if you talk to Sophos and get them to help you. We just started using KAspersky on our network when we had a big outbreak. There's a small tool that we got from kaspersly specifically designed to target Conficker and kill any open processes that were infected. We ended up unplugging EVERYTHING (and I do mean EVERYTHING) from the network. Make sure that all servers are clean and patched, there's like three different patches that you need for each machine flavour, before replugging them to the network. Make sure that you haven't got anything connecting wirelessly to the network too, and disinfect every workstation prior to plugging it back to the network.

    It could be a good time to make new images for the workstations with all updates and latest AV releases just to make sure that Conficker it's truly dead. It took us about 2 weeks solid to completely kill it off.

    Good luck.

  14. #10

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,748
    Thank Post
    917
    Thanked 1,335 Times in 815 Posts
    Blog Entries
    1
    Rep Power
    447
    Doesnt sophos tell you the user account that triggered the quarantine?
    Also what settings do you use for sophos?
    On machines you have had issues with I would reset windows update store by stopping automatic updates service and renaming the directory c:\windows\softwaredistribution then starting the service back up.
    Also which variant are you seeing?

  15. #11
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,829
    Thank Post
    918
    Thanked 422 Times in 355 Posts
    Blog Entries
    12
    Rep Power
    88
    Should be really easy to stop.

    Just make the root of all your shared drives read only.

    It cant spread then.

  16. #12

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,748
    Thank Post
    917
    Thanked 1,335 Times in 815 Posts
    Blog Entries
    1
    Rep Power
    447
    One other thing, I would consider using sophos with on-write checking to prevent it making it onto file servers etc, then do scheduled full scans at nights to prevent things sneaking on.
    Last edited by ZeroHour; 11th May 2012 at 01:54 PM.

  17. #13
    CAM
    CAM is offline

    CAM's Avatar
    Join Date
    Mar 2008
    Location
    Burgh Heath, Surrey
    Posts
    4,190
    Thank Post
    839
    Thanked 374 Times in 290 Posts
    Blog Entries
    60
    Rep Power
    284
    Sounds like you missed one. I've been down this road before and have a blog post about it:
    How to remove Conficker (AKA Downadup and Kido) - Blogs - EduGeek.net

    Little beggar never came back. We've since had warnings from infected USB drives pop up but the virus has never latched on again. Shut everything down, check every PC, check every PC again, reconnect things slowly starting with your servers then bringing up one lab at a time. One that is done, pray it never comes back.

    We ended up with a USB ban after the incident and even after bringing things up, we were still spotting warnings from Sophos about infected sticks on staff laptops and running straight up to class to confiscate both items for cleaning. Even though notices went round!
    Last edited by CAM; 11th May 2012 at 02:01 PM.

  18. #14

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    I thought this was a solved problem, is Windows not imune to it now?

  19. #15
    Mcshammer_dj's Avatar
    Join Date
    Feb 2007
    Location
    Portsmouth
    Posts
    944
    Thank Post
    35
    Thanked 165 Times in 133 Posts
    Rep Power
    94
    We cleared our network, by using the sophos specific tool and ensuring the correct patch has been applied to the machines.

    Start with the server and then do all the workstations. We still get warnings when infected datasticks are inserted but the virus cannot jump between the machines. We don't clean the sticks as we wanted to avoid wiping data that could be vital (even if it is infected). Regular offenders are warned that there is a problem and given some guidance on how to check their own home systems.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Annoying Virus (confick-E)
    By GrahamWibbly in forum Windows
    Replies: 120
    Last Post: 6th June 2009, 07:54 AM
  2. Patching SIMS against conficker
    By m1ddy in forum Windows
    Replies: 17
    Last Post: 26th March 2009, 09:13 AM
  3. conficker cornficker?
    By ICT_GUY in forum General Chat
    Replies: 1
    Last Post: 22nd January 2009, 09:21 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •