[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1354
  • Last Modified:

w32.downadup.b Again

We have pretty much cleaned this off of all of our servers and got WSUS setup to send out MS updates to all of the machines, but we are still have the virus pop up from time to time. We also have Cisco Security Agent 4.5 on all of our machines and it has pretty much been useless when it comes to this virus. I am not sure how it is able to write to the registry and windows\system32 with CSA on all of the machines. Anyway...

When I do a virus scan (norton endpoint 11)on one of the servers it scans S:\autorun.inf during the scan. I know this is how the virus is spreading itself, but when I go to our file server and do a scan, it finds nothing. I made sure there are no hidden files and the autorun.inf is no where to be found. How could this be?

People connecting to our VPN with no mapped drives get the virus notification pretty much as soon as they sign on. I really need to get this cleaned off completely. Any advice on the best practice for doing this would be greatly appreciated.

Scott...
0
smuth
Asked:
smuth
  • 4
  • 3
  • 2
  • +2
1 Solution
 
David-HowardCommented:
Endpoint should remove this virus. (I'm assuming that it is up to date)
I would suggest that you start by doing the following.
Disable System Restore. Directions can be found here:
http://support.microsoft.com/kb/310405
Boot into Safe Mode and run your scans.
When you have finished running your scans and the threats have been removed renable System Restore.
Symantec has automatic and manual removal directions here.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=3
David
0
 
smuthAuthor Commented:
I have done all of that and it is removed from all of the servers. all of our clients have an older version of symantec, but everything is kept up to date, so it is catching the virus when passed to the client PC. Short of going to every client PC(160+ users), I am not sure what else I can do. Most of my users are on the road
0
 
David-HowardCommented:
There lies the problem. All it takes is one system. I've been down this road with the Melissa virus years ago. I visited each and every pc. (500+), removed them from the network one at a time, ran the scans, cleaned them and put them back on the network. An entire weekend. But the threat went away. Long and short of it was that we just kept reinfecting ourselves due to a few systems.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
xmachineCommented:
Hi,

It's very easy to do mistakes here and forget some machines without patching / protection. So, check the following points:

1) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)

2) W32.Downdup can spread through USB, so your next step is to abandon the usage of any removable media at the moment, till you make sure the network is total clean. (You can Device Control Policies in SEP)

Check the following SEP KB articles about device control:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/1efaa7a014a86f15ca2574b6001da12f?OpenDocument

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/82ae89a86cbc44c280257412003bbe78?OpenDocument

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b54beb2f46268ccc882574e80052960f?OpenDocument

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ce3a83c1ce5ca4cf492573fd005d28dc?OpenDocument

3) You MUST enable "Risk Tracer" in Endpoint Protection 11, to trace back the source of infection in your network and remediate them (Disconnect the infected system, install endpoint, install ms08-067, full scan & clean, re-connect to the network)

How to enable "Risk Tracer":

1) Open SEPM (Symantec Endpoint Protection 11) Console

2) Go to Policies > Antivirus and Antispyware > Antivirus and Antispyware policy > File System Auto-Protect: Advanced: Risk Tracer

4) Based on Cisco, CSA is supposed to prevent W32.Downadup propagation. Check it here (http://tools.cisco.com/security/center/viewAlert.x?alertId=17121)

5) Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.


A Symantec Certified Specialist @ your service
0
 
smuthAuthor Commented:
This is great info. Well, good and bad I suppose. We have a lot of work ahead of us.

We had already sent out the patch and locked down autorun and the usb drives. I think the problem is, the users just ignore most of our emails until they are having a problem.

Thanks again. I will assign both of you guys points
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Use different antivirus than norton end point,,,, I had a problem with one server at work and after I installed KAV 6.0 I have found on the server about 15k thousand infected files that Norton End point didn't know about...

0
 
waynewilliamsCommented:
I successfully removed this by installing the Autrun Virus Remover.  Took just a few seconds to remove the virus and then sits in your system tray automatically scanning any removable devices that are plugged in.

Available from www.autorunremover.com
0
 
smuthAuthor Commented:
We already purchased 170 licenses for Norton EP, so we are stuck with it. So far, it has done a good job for us as our old symantec did not take care of the problem.

Do any of you know if symantec has a utility to create an msi to roll this out to everyone?. I know we would need to remove the old version first. This would save me a lot of time.
0
 
David-HowardCommented:
There's some information on Symantec msi packaging here specifically command line references. http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101610183248

0
 
Mohammed HamadaSenior IT ConsultantCommented:
0
 
smuthAuthor Commented:
I would like to remove the old version of Symantec AV we have from 2002 before we rollout the SEP 11. Not remove SEP 11. I will take a look at all of those old threads to see if there is something in there. Thank you!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now