[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1033
  • Last Modified:

Confiker on patched machine? [Urgent]

Hi All

We are running McAfee 8.5i Patch 7 (with EPO 4.0 sever) on Windows 2003 servers. All servers have the MS08-67 patch installed.

This morning, I recieved an alert from McAfee stating that two servers had been attacked by W32/Conficker.worm. I logged onto the machines (with a non-Domain Admin account) and checked the On Access Scanner log. In both cases, McAfee reports that the worm was deleted.

But - I had some questions I was hoping someone could help me with;

i) I thought Confiker couldn't get onto MS08-67 patched machines? Or does this patch only prevent them executing on patched machines?

ii) The Virus Alert is configured to send a notification if there is a virus on the machine that is NOT removed. So not sure why I recieved the notification?

iii) Apart from logging onto the machine, is there anyway to find out what happened to the virus from logs on EPO?
  • 2
1 Solution
unfortunately only the original conficker worm was stopped dead by the patch. Subsequent variants can use alternate methods such as network shares to get on.
You may want to check for spurious services in use, multiple scheduled tasks (AT named) and if the DHCP client service is stopped and won't start due to access denied errors.
We set McAfee to force all workstations shares to read only (not always possible on a server) and scanned all files on read and write
Joe_BuddenAuthor Commented:

Thanks for replying...

I looked at the Wiki page for Confiker


...and it says that the "infection vector" for Confiker D does not involve MS08-067...is this the variant you mean?

Was the MS08-067 patch supposed to stop it executing or stop it propogating? I'm guessing it was to stop it propogating and only AV on the machine could stop it executing? But now, with the variants, it can propogate using other methods?

ms08-067 was meant to stop ONE method of infection (propagation) but now there are several. Variant  .b was the killer which uses brute force password hacks, network shares and autorun.inf on the roots of drives to propagate.
.D is one that DOESN'T use the MS08-067 vulnerability this as it's now pretty much been patched out.
However, you need to address all of the above issues to be secure.
In this case, you can't rely on just patching and AV to protect your network

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now