Solved

How to discover the infected computer on a network

Posted on 2009-07-01
11
880 Views
Last Modified: 2013-11-22
I had virus attack a couple of days ago. That was Conficker.B worm. Fortunately most computers on the LAN had updated anti virus and could detect it. But apparently some other machines couldn't detect the worm and therefore they are infected by the worm.

Every now and then, clients receive a virus detection warning on their computer that says Conficker.B is detected and removed/cured.

The question is how I can find the computer that is infected by this virus and is the source of infection on my LAN. I can not check computers one by one. I want a way/tool that gives me the infected machine.
0
Comment
Question by:behterami
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 24758982
behterami,
It will help us if you give us all of the details of the Enterprise AV solution you are running - then we can give you particulars.

If you aren't running an Enterprise solution, then that is your answer.
0
 

Author Comment

by:behterami
ID: 24759002
I am using CA eTrust ITM r8.1
0
 
LVL 14

Expert Comment

by:uucknaaa
ID: 24759005
Hi

I thought the conflicker virus was using a vulnerability of the Microsoft OS to proliferate.  If you have been updating your computers on a regular basis, you shouldn't have a problem.  Are your clients getting the updates they need from Windows update or a server at your site?
0
 

Author Comment

by:behterami
ID: 24759014
uucknaa - clients are getting updates from a WSUS server. But one or two are infected now for sure. The question is how I can find the source of infection on the LAN?
0
 

Expert Comment

by:rak_lad
ID: 24759053
Hi
If you want to find computer is infected with Conficker worm virus or not. simple is try to open windows update website or try opening Symantec, McAfee or any anti virus software website. if it open website then its not infected with Conficker.B. We use Symantec EndPoint and i can check all the computer status form server or management console for virus defination push or virus report.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Expert Comment

by:uucknaaa
ID: 24759055
To help narrow it down, do you know from the WSUS server which computers aren't getting updates?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24759057
I have found a link to a site that has a tool to actively scan for conficker infected machines which meets your requirment of not having to visit every machine.
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Hope you can get it running - you need Impacket Python Library to get this running and this can be found here:
http://oss.coresecurity.com/projects/impacket.html
Good luck.
0
 
LVL 14

Accepted Solution

by:
uucknaaa earned 500 total points
ID: 24759104
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24759131
Here's an EE question previously asked about the same question:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
Nice link uucknaaa ;-)
0
 
LVL 4

Expert Comment

by:tmasters2876
ID: 24760330
One of the signs of the conficker was the absence of a registry key.  We wrote this script to return all systems that had the absence of this key which helped us determine which systems needed attention before the big date that conficker was to destroy the world.
On Error Resume Next
 

Const HKLM = &H80000002

Const ReportFile = "C:\RegQuery Results.txt"

Const KeyPath = "SYSTEM\CurrentControlSet\Control\SafeBoot\"

Const ValueName = "AlternateShell"

Const MissingKeyString = " DOES NOT CONTAIN THE REGISTRY VALUE!"

Const PresentKeyString = " contains the registry value."

 

Const ADS_SCOPE_SUBTREE = 2 

Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")

Dim objFile : Set objFile = objFSO.CreateTextFile(ReportFile)

Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")

Dim objCommand : Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"

objConnection.Open "Active Directory Provider"

Dim objRoot : Set objRoot = GetObject("LDAP://RootDSE")

Dim objDomain : Set objDomain = GetObject("LDAP://" & objRoot.Get("defaultNamingContext"))

 

Set objCommand.ActiveConnection = objConnection

With objCommand

  .CommandText = "SELECT Name From '" & objDomain.ADsPath & "' Where objectClass='computer' And OperatingSystemVersion='5.1 (2600)'"

  .Properties("Page Size") = 1000

  .Properties("Searchscope") = ADS_SCOPE_SUBTREE

End With

Dim objRecordSet : Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst

 

Do Until objRecordSet.EOF

  CheckReg (objRecordSet.Fields("Name").Value)

  objRecordSet.MoveNext

Loop

 

objFile.Close

 

Set objRecordSet = Nothing 

Set objCommand = Nothing

Set objDomain = Nothing

Set objRoot = Nothing

Set objConnection = Nothing

Set objFile = Nothing

Set objFSO = Nothing

 

Sub CheckReg (strComputer)      

  Dim oReg : Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

  oReg.GetStringValue HKLM, KeyPath, ValueName, strValue

  If IsNull(strValue) Then

    objFile.WriteLine strComputer & MissingKeyString

  Else

	objFile.WriteLine strComputer & PresentKeyString

  End If

  Set oReg = Nothing

  End Sub

Open in new window

0
 

Author Comment

by:behterami
ID: 24760368
Thank you every one. Appreciate it.

I am investigating/applying all these methods you guys sent to me. I'll let you know the results as soon as I can.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now