Confiker on patched machine? [Urgent]

Posted on 2009-04-17
Last Modified: 2013-12-09
Hi All

We are running McAfee 8.5i Patch 7 (with EPO 4.0 sever) on Windows 2003 servers. All servers have the MS08-67 patch installed.

This morning, I recieved an alert from McAfee stating that two servers had been attacked by W32/Conficker.worm. I logged onto the machines (with a non-Domain Admin account) and checked the On Access Scanner log. In both cases, McAfee reports that the worm was deleted.

But - I had some questions I was hoping someone could help me with;

i) I thought Confiker couldn't get onto MS08-67 patched machines? Or does this patch only prevent them executing on patched machines?

ii) The Virus Alert is configured to send a notification if there is a virus on the machine that is NOT removed. So not sure why I recieved the notification?

iii) Apart from logging onto the machine, is there anyway to find out what happened to the virus from logs on EPO?
Question by:Joe_Budden
    LVL 10

    Expert Comment

    unfortunately only the original conficker worm was stopped dead by the patch. Subsequent variants can use alternate methods such as network shares to get on.
    You may want to check for spurious services in use, multiple scheduled tasks (AT named) and if the DHCP client service is stopped and won't start due to access denied errors.
    We set McAfee to force all workstations shares to read only (not always possible on a server) and scanned all files on read and write
    LVL 1

    Author Comment


    Thanks for replying...

    I looked at the Wiki page for Confiker

    ...and it says that the "infection vector" for Confiker D does not involve this the variant you mean?

    Was the MS08-067 patch supposed to stop it executing or stop it propogating? I'm guessing it was to stop it propogating and only AV on the machine could stop it executing? But now, with the variants, it can propogate using other methods?

    LVL 10

    Accepted Solution

    ms08-067 was meant to stop ONE method of infection (propagation) but now there are several. Variant  .b was the killer which uses brute force password hacks, network shares and autorun.inf on the roots of drives to propagate.
    .D is one that DOESN'T use the MS08-067 vulnerability this as it's now pretty much been patched out.
    However, you need to address all of the above issues to be secure.
    In this case, you can't rely on just patching and AV to protect your network

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now