Virus w32/Conficker!mem

Hello,

Per McAfee (you probably read this already): http://vil.nai.com/vil/content/v_153464.htm

This was published today (from the forum http://forums.mcafeehelp.com/showthread.php?t=226723)

"Hi All,

We too are experiencing problems with this particular worm/trojan. Running Enterprise 7.1 clients and a 5492 DAT (been through five in as many days). No joy in moving it from memory with any AV program. Heres a little more info, hope it helps you.

The virus creates a new service, copies the description of a running service and uses real world names, e.g. Universal Time, Security Support Service etc, in the display name property to mask the infection; however, the real name of the system and thus the HKLM\System\CurrentControlSet\Services key is always a randomly generated alpha numeric string. It also resets the ACL for the key(s) (one for every running service) to system only and therefore cannot be simply deleted.

To remove the virus from memory, identify the rouge service and make a note of its key name at the top of the properties box. Use the service description, there will be 2 identical descriptions and the one running services.exe netsvcs or svchost k netsvcs is the one you want (path to the virus infected file is in the parameters subkey). Restart the system in safe mode and use regedit (or regedt32 for pre XP/2003) navigate to the services key and reset the permissions for the key and propagate this change to all subkeys (parameters/enum/security). Now delete the key and run a full system scan with action set to DELETE, no current DAT will clean this virus.

We know a hell of a lot about this virus and have been chasing it for the past week. The article mentioned from MS 08-067 (suggest you read MS 08-068 as well) contains the correct patches and you will need to change some other system services back to your defaults. You may want to note we have seen evidence that the virus corrupts some of these hotfixs when resident in memory by re-instating the vulnerabilities they were designed to patch. The virus sets BITS to automatic (uses system DFS to propagate if your running it), Turns off Automatic Updates and has been seen to disable RPC and start the Scheduled Task service if it is not running. It uses the last service when it creates tasks to re-infect the system. Initial infection seen in the Default Users Temporary Internet Folder and thus any new accounts.

We have developed a script to find and reset ACLs and delete rouge keys, reset services and delete tasks and all users Temporary Internet Folders. Additionally the script sets On Access Scans to delete action and the default AV task to delete action (via reg DWORD values uAction set to 4).

Still fighting, would like some help from McAffee&.!

J

NB
If you have an infected machine DO NOT LOG ON AS A DOMAIN ADMINSTRATOR, it uses those credentials to infect other machines by copying infected files and running them on remote systems or creating files in the %WINDIR%\Tasks and letting the system run infected files regardless of the target systems patch status (we tested this in the lab). While we are fighting this we have disabled scheduled tasks across the system, although setting the on access scan to delete appears to be combating this attack vector.

For McAffee, we are willing to sell you the script&&&.. Running our script has had 100% success in removing the virus and preventing re-infection."

I hope it helps.