[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Conficker Virus

Posted on 2009-02-13
29
Medium Priority
?
1,270 Views
Last Modified: 2012-05-06
Hi all,

I am havem trouble with the Conficker worm in a customer network.

PC's are patched with the relevant MS hotfixes and Antivirus NOD32 is Up to date.
I can clean the PC's but the worm keeps infecting USB Pens even when the computer and the pens were clean before.

Any ideas where this is coming from?

Regards
cosmon
0
Comment
Question by:cosmon
  • 14
  • 11
  • 2
  • +2
29 Comments
 
LVL 12

Expert Comment

by:jahboite
ID: 23640332
It may be that it's sitting on network shares waiting for clients to connect before infecting them.
I suggest you take a look at the following page which has loads of info pooled from the various institutions that have joined a cooperative effort to fight conficker:

http://isc.sans.org/diary.html?storyid=5860

This page has links to analyses of the worm and it's propagation techniques, removal instructions and tools.
In your specific case, you might find that following the instructions in http://support.microsoft.com/kb/962007 might help to prevent further infections whilst you track down the source.

Good luck
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23640494
So you've installed the MS Patch mentioned in the link right?
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx 

Did you also run either one of these tools?
F-Secure Removal tool:
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

Symantec's W32.Downadup Removal Tool:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

MS Malicous Removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en



Conficker is quite a problem, Microsoft offers $250,000 reward for Downadup culprits.
http://www.itp.net/news/546662-microsoft-offers-250000-reward-for-downadup-culprits
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23657014
Hi,

It's obvious that virus is still alive and removed completely. I've created a batch file to implement the disinfection/cleaning procedure for multi OS versions in a network.

download it form here: (Click on the link directly, then click on the white icon in the left)  

http://cid-f790ac08c17bf7fa.skydrive.live.com/self.aspx/.Public/Clean-Downadup-v1.bat



A Symantec Certified Specialist @ your service

0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 11

Expert Comment

by:bsharath
ID: 23657056
hi,
Sorry to be getting in here...

I ran the script and i get just this. Is there something i need to change...


C:\>Clean-Downadup-v1.bat
 *******************************************************************************
****************
                ExtremeSecurity.blogspot.com - Do It Securely or Not At All
                                Multi OS W32.Downadup Cleaner
 *******************************************************************************
****************
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23657057
hi,
Sorry to be getting in here...

I ran the script and i get just this. Is there something i need to change...


C:\>Clean-Downadup-v1.bat
 *******************************************************************************
****************
                ExtremeSecurity.blogspot.com - Do It Securely or Not At All
                                Multi OS W32.Downadup Cleaner
 *******************************************************************************
****************
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23657073
To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe

Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

In the batch file, you should replace the server name and shared folder name.


A Symantec Certified Specialist @ your service
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23657148
Will all machines be restarted?
What is the txt file name where i need to put the machine names?
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23657150
Will all machines be restarted?
What is the txt file name where i need to put the machine names?
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23657299
Yes, this is required by the patch (MS08-067). You can reboot them later, search for these lines and remove  them:

echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"

0
 
LVL 11

Expert Comment

by:bsharath
ID: 23657366
Where should i mention the machine names?
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23657367
Where should i mention the machine names?
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23657472
You need to scan your network for the machine names/IPs and save them in a text file, then Psexec to import the text file and execute the remediation script on them, one by one.

so, for example (run this as domain admin):

c:\psexec @infected.txt -d -c Clean-Downadup-v1.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23657868
Thank U
I get this
Clean-Downadup-v1.bat started on Dev-pc343 with process ID 2988.


Which are the process that might be running in the machines. As i have seen for some time there is no log files created...
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23658016
Yes, this is correct. You can monitor a machine's Task Manager and search for (FixDownadup) ... this should means the script is working perfectly. The log file should be saved in a shared folder (with read and write permissions for Everyone) of your choice.

Remember, that you need to reboot these machines after deploying the patch.

.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23658143
It runs but just does not show the process in the Task manager or does the logs get created. I guess its failing some where
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23658144
It runs but just does not show the process in the Task manager or does the logs get created. I guess its failing some where
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23658612
Make sure the clients can access the shared folder and execute the tool/patch. Try it manually from one machine.
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23658634
Look for this file in the C: drive

c:\computername%_%username%_logFixDownadup.txt

this is the Symantec fix tool log
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23661375
Xmachine..

I get this


D:\>Clean-Downadup-v1.bat
 *******************************************************************************
****************
                ExtremeSecurity.blogspot.com - Do It Securely or Not At All
                                Multi OS W32.Downadup Cleaner
 *******************************************************************************
****************
Enabling BITs ...
[SC] ChangeServiceConfig SUCCESS
Starting BITs ...
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

Enabling Automatic Updates ...
[SC] ChangeServiceConfig SUCCESS
Starting Automatic Updates ...
The service name is invalid.

More help is available by typing NET HELPMSG 2185.

Checking MS WSUS for any missing updates ...
Enabling Windows Security Center Service (wscsvc) ...
[SC] ChangeServiceConfig SUCCESS
Starting Windows Security Center ...
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

Enabling Windows Defender Service (WinDefend) ...
[SC] ChangeServiceConfig SUCCESS
Starting Windows Defender ...
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

Enabling Windows Error Reporting Service (WerSvc) ...
[SC] ChangeServiceConfig SUCCESS
Starting Windows Error Reporting ...
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

Fixing Downadup infection ...
The network path was not found.
The system cannot find the file specified.
Patching MS08-067 ...
The network path was not found.


I am able to access the network share manually and install the updates but not through the script
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23661864
Did you change the server name and shared folder name ? Because I've already tested the script and it should work.

Please paste the modified script here.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23662180
Here is the script
strComputers = "computers.txt"
strOutputFile = "SoftwareSearch.csv"
arrSoftware = Array( _
	"Sophos Anti-Virus", _
	"Sophos AutoUpdate", _
	"Sophos Remote Management System" _
	)
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Set objFile = objFSO.OpenTextFile(strComputers, intForReading, False)
While Not objFile.AtEndOfStream
	strComputer = objFile.ReadLine
	strResults = """Computer"""
	For Each strProduct In arrSoftware
		strResults = strResults & ",""" & strProduct & """"
	Next
	strResults = strResults & VbCrLf & """" & strComputer & """"
	If Ping(strComputer) = True Then
		On Error Resume Next
		Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
		Set colItems = objWMIService.ExecQuery("Select Name, Version from Win32_Product")
		If Err.Number = 0 Then
			strCurrentPC = strComputer
			For Each strProduct In arrSoftware
				boolFound = False
				For Each objItem In colItems
					If InStr(LCase(objItem.Name), LCase(arrSoftware)) > 0 Then
						boolFound = True
						Exit For
					End If
				Next
				If boolFound = True Then
					strResults = strResults & ",""Yes"""
				Else
					strResults = strResults & ",""No"""
				End If
			Next
		Else
			strResults = strResults & ",""WMI Connection Error"""
		End If
	Else
		strResults = strResults & ",""Unable to ping"""
	End If
	Set objOutput = objFSO.CreateTextFile(strComputer & "_Products.csv", True)
	objOutput.Write strResults
	objOutput.Close
	Set objOutput = Nothing
Wend
objFile.Close
 
MsgBox "Done. Please see the output files for each computer."
 
Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Open in new window

0
 
LVL 11

Expert Comment

by:bsharath
ID: 23662181
Here is the script
strComputers = "computers.txt"
strOutputFile = "SoftwareSearch.csv"
arrSoftware = Array( _
	"Sophos Anti-Virus", _
	"Sophos AutoUpdate", _
	"Sophos Remote Management System" _
	)
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Set objFile = objFSO.OpenTextFile(strComputers, intForReading, False)
While Not objFile.AtEndOfStream
	strComputer = objFile.ReadLine
	strResults = """Computer"""
	For Each strProduct In arrSoftware
		strResults = strResults & ",""" & strProduct & """"
	Next
	strResults = strResults & VbCrLf & """" & strComputer & """"
	If Ping(strComputer) = True Then
		On Error Resume Next
		Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
		Set colItems = objWMIService.ExecQuery("Select Name, Version from Win32_Product")
		If Err.Number = 0 Then
			strCurrentPC = strComputer
			For Each strProduct In arrSoftware
				boolFound = False
				For Each objItem In colItems
					If InStr(LCase(objItem.Name), LCase(arrSoftware)) > 0 Then
						boolFound = True
						Exit For
					End If
				Next
				If boolFound = True Then
					strResults = strResults & ",""Yes"""
				Else
					strResults = strResults & ",""No"""
				End If
			Next
		Else
			strResults = strResults & ",""WMI Connection Error"""
		End If
	Else
		strResults = strResults & ",""Unable to ping"""
	End If
	Set objOutput = objFSO.CreateTextFile(strComputer & "_Products.csv", True)
	objOutput.Write strResults
	objOutput.Close
	Set objOutput = Nothing
Wend
objFile.Close
 
MsgBox "Done. Please see the output files for each computer."
 
Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Open in new window

0
 
LVL 11

Expert Comment

by:bsharath
ID: 23662201
Sorry wrong code

@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All
ECHO.                                Multi OS W32.Downadup Cleaner
ECHO. ***********************************************************************************************


ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003

ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp

ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000

ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0

ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1


goto exit

:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\dev-chen-pky\Scanner Conficker\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\dev-chen-pky\Scanner Conficker\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\dev-chen-pky\Scanner Conficker\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart


goto exit


:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Fixing Downadup infection ...
\\dev-chen-pky\Scanner Conficker\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\dev-chen-pky\Scanner Conficker\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\dev-chen-pky\Scanner Conficker\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart


goto exit

:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\dev-chen-pky\Scanner Conficker\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\dev-chen-pky\Scanner Conficker\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\dev-chen-pky\Scanner Conficker\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart


goto exit

:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
Pause
\\dev-chen-pky\Scanner Conficker\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\dev-chen-pky\Scanner Conficker\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\dev-chen-pky\Scanner Conficker\Windows6.0-KB958644-x86.msu /quiet /norestart



goto exit

:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\dev-chen-pky\Scanner Conficker\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\dev-chen-pky\Scanner Conficker\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\dev-chen-pky\Scanner Conficker\Windows6.0-KB958644-x86.msu /quiet /norestart


goto exit

:exit
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23662283
It could be because of the white space in the shared folder name. Remove then try again.

From one of the machines, launch both the tool + patch manually (I removed /SILENT & /quiet):


\\dev-chen-pky\Scanner Conficker\FixDownadup.exe /LOG=c:\computername%_%username%_logFixDownadup.txt

\\dev-chen-pky\Scanner Conficker\Windows6.0-KB958644-x86.msu /norestart


I think it's (Scanner Conficker), rename the folder to something else like (conficker)
0
 
LVL 11

Expert Comment

by:bsharath
ID: 23662371
I did try renaming the folder name but no luck...

I tried these 2 lines and it did work

\\dev-chen-pky\Scanner Conficker\FixDownadup.exe /LOG=c:\computername%_%username%_logFixDownadup.txt

\\dev-chen-pky\Scanner Conficker\Windows6.0-KB958644-x86.msu /norestart

Any ideas...
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23662766
Try running the batch file from one of the machines manually and see... if it's the same or what ?

0
 
LVL 12

Expert Comment

by:jahboite
ID: 23662794
How about you, cosmon, are you still having problems on your customers network?
0
 

Author Comment

by:cosmon
ID: 23732238
Thank you all guys!

I still have some problems. But I knoe how to clean them now.

It was great to see all these great scripts here. But my initial question was to know how does the virus gets into a PC that has AV and the patches instaleld...

I still have no answer for that

Regards
cosmon
0
 
LVL 15

Accepted Solution

by:
xmachine earned 1000 total points
ID: 23733015
It will still be able to get into any PC through the Admin$ shared folder (\\[Host Name]\ADMIN$\System32\), but the installed antivirus should prevent writing any malicious file. An IPS would prevent the virus at the first attempt to access the folder. Make sure to use complex passwords, and you can disable Admin$ temporary to prevent propagation, then enable it againt (After cleaning the whole network).

Check the following articles:

http://www.microsoft.com/protect/yourself/password/create.mspx

http://www.petri.co.il/disable_administrative_shares.htm
http://support.microsoft.com/kb/314984

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question