• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1900
  • Last Modified:

conficker worm in the network

is there a way that i can disover which hosts in my network infected by this worm ? i heard about a trool that uses wmi but if the wmi is not working then this script is not useful; we have applied a policy that prevent updates on svchost file and scheduled task folder but strangely we found some users who has at schedule task in their folder even after it was deleted and the group policy applied !
0
xehomx
Asked:
xehomx
  • 4
  • 3
1 Solution
 
wantabe2Commented:
Yes, go to www.wireshark.com

Download wireshark & run it, & look for ARP request sent/recieved. The computers that have numerous ARPs will be the ones that have the virus.
0
 
xmachineCommented:
Hi,


1) You can scan your network for all hosts that don't have the MS08-067 patch installed using Nessus (http://www.nessus.org/download/), use this plugin # (34477).

2) I've created a batch file that would do the following:

The batch will do the following:

1) Re-enable and start the following services:

Background Intelligent Transfer Service
Windows Automatic Update Service
Windows Security Center Service
Windows Defender Service
Windows Error Reporting Service

2) Check MS WSUS for any missed updates (Due to disabling/stopping of windows update service during infection period)

3) Run Symantec FixDownadup tool
download from here (http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99)

4) Install MS08-067 patch

download from here (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)

5) Reboot system

This batch covers the following OS versions:

1) Windows 2000
2) Windows XP
3) Windows 2003
4) Windows Vista SP0/SP1

Note: Some OS versions or 64-bit are not supported by this batch, may be soon.


 - Download all patches  + Symantec fix tool and save them to a shared folder

- To use the script, change the "Server name" + "shared folder name"

- Use Psexec (http://download.sysinternals.com/Files/PsTools.zip) to execute the patch file, like this:

You need to scan your network for the machine names/IPs and save them in a text file, then Psexec to import the text file and execute the remediation script on them, one by one.

so, for example (run this as domain admin):

c:\psexec @infected.txt -d -c clean.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

See attached script


A Symantec Certified Specialist @ your service
@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 
ECHO.                                Multi OS W32.Downadup Cleaner 
ECHO. ***********************************************************************************************
 
 
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
 
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
 
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
 
ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0
 
ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 
goto exit
 
:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...  
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...  
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:exit

Open in new window

0
 
xehomxAuthor Commented:
How do iknow if the patch was installed correctly or any issue happened?  the script doesnt log the result of this task
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
xmachineCommented:
When you run the patch using psexec, you should get the following:

clean.bat started on xyz-pc with process ID 2988.
0
 
xmachineCommented:
Hi,

You can use MBSA or Nessus to scan the network

1) http://technet.microsoft.com/en-us/security/cc184924.aspx

the machine should report (MS08-067) as installed

2) http://www.nessus.org/download/

Use Plugin#34477 to search for machines that have ms08-067
0
 
xmachineCommented:
Did the script fix your problem ? Are there any pending issues ?
0
 
xehomxAuthor Commented:
thanks xmachine; it is fixed however we found many viruses on some servers that symantec didnt detect before .. when scanning in safe mode we found many infected files ...
Thanks
0
 
xehomxAuthor Commented:
This soulotion works if you have a reliable file server; bear in mind that hundreds of users will join your network at approximately the same time..
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now