Annoying Virus (confick-E)

Some of the difficulties lie in existing AV products not being able to detect it. Update definitions but more important program updates for all the big ones, Sophos included, haven't been rolled out until the last couple of weeks. However the removal tools (I think I've got just about everyones!) are invaluable - I've got a pair of CDRs with them all on due to the amount of infections I've had to deal with.
Another difficulty is the sub-infections - conficker itself as we know isn't a major problem to detect and remove, but some of the infections that have started to come down with and variants of Conficker itself are appearing all over the place. One that springs to mind in this area is "zlob" - one of many fake AV program providers.

We've had this infection for a couple of week and now that it is half term I see it as an opportunity to eradicate it properly.

Up to now; we have deployed the patch to all servers, pcs and laptops; disabled autorun in portable devices.

To actually remove the worm from infected systems we have setup a shutdown script which runs f-secure's f-downadup.exe to scan for the worm; it returns an error level of 1 it has detected the worm and in this case runs f-downadup.exe again but with --disinfect. All infections are logged centrally.

We are going to keep this going and if it doesn't work we may shutdown the network for the afternoon.

One potential niggle is I suspect that if a PC is infected and an admin user logs on the worm inherits admin right; thus giving it full rights to infect all PCs and servers, irrespective of the patch.

I agree that this episode exposes just how insecure some networks can be. The real problem is that all networks are inherently insecure. A centralised thin client network may help and the TCM module (with associated software) may also (future).

Bruce.

Reading about this fills me with paranoia as well as teaching machines are much harder to patch as they're being used all the time so update time windows are few and far between. Looking into WOL in early morning maybe but for the moment I'm forcing the patch out room by room.

I've been checking the registry in HKLM\Software\Microsoft\Windows NT\Currentversion\svchost for odd-named entries from what I read in the Microsoft KB article - is that a reliable indicator of infection?

I have my updates for teachers computers set to download them automatically, and notify them of the updates. If they dont choose to apply the updates, the option once they shutdown defaults to "apply updates and shutdown" which they know to choose.

I keep an eye on WSUS to keep on top of any machines that arenet up at 99-100%.

As pointed out WSUS should provide the update automatically; if you don't have WSUS setup than you can deploy the patch automatically (.exe downloadable from MS) in the startup script (may require a command line option to do it silently). However, the update will only apply to WinXP SP2 (and above) PCs. Thanks Bruce.

Yeah I've been sending it round teaching PCs the last few days - not sure but think it requires a reboot so want to try and get it done manually before people come back.

So far haven't found anything odd in the registry keys and all the services are still working on the PCs I've looked at so fingers crossed...

Quote:

---

Originally Posted by gshaw

I've been checking the registry in HKLM\Software\Microsoft\Windows NT\Currentversion\svchost for odd-named entries from what I read in the Microsoft KB article - is that a reliable indicator of infection?

---

Things you can (perhaps) visually spot...

Extract from the "more information" tab on Mal/Conficker-A Malicious behavior (WORM_DOWNAD.AD, W32/Conficker.worm, Worm:Win32/Conficker.gen!A, Worm:W32/Downadup, Net-Worm.Win32.Kido) - Sophos security analysis

(1) <System>\<random filename> (e.g. C:\windows\system32\zdtnx.g)

(2) The registry entries added by Mal/Confiker-A are under:

HKLM\SYSTEM\CurrentControlSet\Services\<random service name>

(3) The random service name will also be added to the list of services referenced by:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs

(4) When spreading to removable media Mal/Conficker-A attempts to create the following hidden files:

<Removable Drive Root>\autorun.inf
<Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll (where x represents a random digit)

Please read the above page in full for more information and also Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker

Regards,
Sophos Technical Support

After reading this thread my number one priority at the moment is to talk my crazy network manager out of getting rid of WSUS altogether and basically 'winging' it.

Currently:

Mcafee not updated since Jan 9th
WSUS not active since way before christmas.

Im terrified.

I had the Conficker virus. No need to shut down your network. Set your anti virus (I use sophos) to on write access scanning, restart computer then do full scan. This should now pick up the virus and allow you to remove it. Push out the patch via GP if you don't have WSUS. If you use ISA, search for any host accessing the sites Conficker tries to access. This will give you a list of infected machines. Clean these up using the method above and then clear the virus alerts. Wait to see if you get any more alerts (may take a few hours). If you do, check ISA logs again. You may get machines warning you they have been infected then the file has been deleted. Conficker can spread using the ADMIN$ share, so this warning is basically telling you a machine on your domain has tried to infect it, not that it has the virus.

Hope this helps. Took me 3 days to clear, but not that much work. It certainly helps you find the workstations that aren't running anti-virus properly. As a side note, if you have sophos, upgrade to the enterprise console 3.1. Its much better at automatically installing sophos according to linked active directory OUs.

If you need any advice give us a shout

ARRRRHHH

Sophos has been picking this up all morning, can't tell if Sophos has been cleaning it up or not?

Quote:

---

Originally Posted by mullet_man

ARRRRHHH

Sophos has been picking this up all morning, can't tell if Sophos has been cleaning it up or not?

---

Go to a machine. Unplug the network cable. Run a FULL scan (scan all files checked). When the scan has finished cleanup items in quarantine. Run another FULL scan. If it comes back clean we're cleaning it up.

If you put the computer back on the network and it gets "infected" then there is an unpatched or unprotected machine on the network - or someone plugged in a USB pen into the computer.

Regards,
Sophos

Cheers will give that ago tomorrow, just gonna be pretty difficult getting round all the machines it seems to have infected! I would say around nearly 100

ARRH again!!

Got in this morning to most admin accounts locked out

@Sophos Support

I have been installing the patch, and running the Malicous Software remover from Microsoft and was as Sophos, this has picked up the virus and got rid of it.

Do you know if it still leaves the schedule tasks? And these can be deleted manually?

Also who would I need to contact I have got a few machines that won't let me install Sophos, various errors including Registry error etc.

Sophos have a nice removal script that will remove all traces of sophos from a client. Fixes most issues with installation.