net-worm.win32.kido.dq Problem

Hi All,

My network has been infected with the net-worm.win32.dq or conficker worm and we are having a problem with a machine broadcasting this worm across the whole network and trying to infect other machines. We have patched all of our machines (or belive we have) with the microsoft patch and our anti virus is up to date and working, however this is still being broadcast. The problem is that I cannot trace where this broadcast is coming from, is there any tools etc...or knowledge you can share with me to help trace this broadcast?

Below is the message my machines receive when this rogue machine tries to send it...however no record is made of where it came from.

Regards

Natalie
Event Type:	Warning
Event Source:	Anti-Virus
Event Category:	None
Event ID:	0
Date:		11/02/2009
Time:		09:05:45
User:		N/A
Computer:	RATS
Description:
Net-Worm.Win32.Kido.dq has been found in
C:\WINDOWS\system32\kfuuif.k
11/02/2009 09:05:45
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

LVL 1
brookesmAsked:
Who is Participating?
 
xmachineConnect With a Mentor Commented:
Hi,

The key to solve unknown sources of infections is sniffing the traffic. So you have many options here:

1) Install Wireshark and sniff the traffic from a SPAN Port (monitoring port on the switch), and upload the pcap file here to inspect it.

Download from here (http://www.wireshark.org/download.html)

2) You can setup a Snort IDS box, to detect intrusions and malicious traffic in your network. Downdup/Conficker can be detected by Snort signatures.

Download it from here for Linux (http://www.snort.org/dl/) or Windows (http://www.snort.org/dl/binaries/win32/)

Read some docs on how to install/run it (http://www.snort.org/docs/)


Good Luck,

A Symantec Certified Specialist @ your service
0
 
Ned RamsayNetwork Operations ManagerCommented:
Any machine not already patched could be sending and if it isnt patched and cleaned it can be re-infected as soon as it boots. The only safe way to truly do this is:
Update your AV. Disconnect the network from it. Clean the pc, Patch it (best with a CD as it will infect any usb device or mapped drive). Reboot.
Only after it is rebooted will the patch actually be applied. So there is no point cleaning it with the patch etc while it is still on the network.
Once steps above are complete, re-connect network.
0
 
bcoyxpCommented:
hi there,

the same happened to our enterprise domain.

a Stopped BITS service is the conficker worm's common characteristic. if you find any PC with a stopped BITS Service, this is sure infected.

1. the very first  thing you could do is isolate the network segment/PC wherein the infection is positive.
2. run mcfee's latest Stinger version.

http://vil.nai.com/vil/stinger/

3. the document attached herewith helps you stop the word from spreading. (see attached pdf file.) run through this document, it will help you understand how the conficker worm attacks and how it will be stopped.

Regards,


Problem-Description-Conficker.pdf
0
 
Mohamed OsamaConnect With a Mentor Senior IT ConsultantCommented:
As advised above sniffing the traffic can help alot pinpointing the offending machine.
once you identify the culprit machine , check this tool 
KidoKill
also you may want to scan using MBSA for any unmpatched machines 



0
All Courses

From novice to tech pro — start learning today.