How to discover the infected computer on a network

I had virus attack a couple of days ago. That was Conficker.B worm. Fortunately most computers on the LAN had updated anti virus and could detect it. But apparently some other machines couldn't detect the worm and therefore they are infected by the worm.

Every now and then, clients receive a virus detection warning on their computer that says Conficker.B is detected and removed/cured.

The question is how I can find the computer that is infected by this virus and is the source of infection on my LAN. I can not check computers one by one. I want a way/tool that gives me the infected machine.
behteramiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

younghvCommented:
behterami,
It will help us if you give us all of the details of the Enterprise AV solution you are running - then we can give you particulars.

If you aren't running an Enterprise solution, then that is your answer.
0
behteramiAuthor Commented:
I am using CA eTrust ITM r8.1
0
uucknaaaCommented:
Hi

I thought the conflicker virus was using a vulnerability of the Microsoft OS to proliferate.  If you have been updating your computers on a regular basis, you shouldn't have a problem.  Are your clients getting the updates they need from Windows update or a server at your site?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

behteramiAuthor Commented:
uucknaa - clients are getting updates from a WSUS server. But one or two are infected now for sure. The question is how I can find the source of infection on the LAN?
0
rak_ladCommented:
Hi
If you want to find computer is infected with Conficker worm virus or not. simple is try to open windows update website or try opening Symantec, McAfee or any anti virus software website. if it open website then its not infected with Conficker.B. We use Symantec EndPoint and i can check all the computer status form server or management console for virus defination push or virus report.
0
uucknaaaCommented:
To help narrow it down, do you know from the WSUS server which computers aren't getting updates?
0
Alan HardistyCo-OwnerCommented:
I have found a link to a site that has a tool to actively scan for conficker infected machines which meets your requirment of not having to visit every machine.
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Hope you can get it running - you need Impacket Python Library to get this running and this can be found here:
http://oss.coresecurity.com/projects/impacket.html
Good luck.
0
uucknaaaCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
Here's an EE question previously asked about the same question:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24084888.html
Nice link uucknaaa ;-)
0
tmasters2876Commented:
One of the signs of the conficker was the absence of a registry key.  We wrote this script to return all systems that had the absence of this key which helped us determine which systems needed attention before the big date that conficker was to destroy the world.
On Error Resume Next
 
Const HKLM = &H80000002
Const ReportFile = "C:\RegQuery Results.txt"
Const KeyPath = "SYSTEM\CurrentControlSet\Control\SafeBoot\"
Const ValueName = "AlternateShell"
Const MissingKeyString = " DOES NOT CONTAIN THE REGISTRY VALUE!"
Const PresentKeyString = " contains the registry value."
 
Const ADS_SCOPE_SUBTREE = 2 
Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objFile : Set objFile = objFSO.CreateTextFile(ReportFile)
Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Dim objRoot : Set objRoot = GetObject("LDAP://RootDSE")
Dim objDomain : Set objDomain = GetObject("LDAP://" & objRoot.Get("defaultNamingContext"))
 
Set objCommand.ActiveConnection = objConnection
With objCommand
  .CommandText = "SELECT Name From '" & objDomain.ADsPath & "' Where objectClass='computer' And OperatingSystemVersion='5.1 (2600)'"
  .Properties("Page Size") = 1000
  .Properties("Searchscope") = ADS_SCOPE_SUBTREE
End With
Dim objRecordSet : Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
 
Do Until objRecordSet.EOF
  CheckReg (objRecordSet.Fields("Name").Value)
  objRecordSet.MoveNext
Loop
 
objFile.Close
 
Set objRecordSet = Nothing 
Set objCommand = Nothing
Set objDomain = Nothing
Set objRoot = Nothing
Set objConnection = Nothing
Set objFile = Nothing
Set objFSO = Nothing
 
Sub CheckReg (strComputer)      
  Dim oReg : Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
  oReg.GetStringValue HKLM, KeyPath, ValueName, strValue
  If IsNull(strValue) Then
    objFile.WriteLine strComputer & MissingKeyString
  Else
	objFile.WriteLine strComputer & PresentKeyString
  End If
  Set oReg = Nothing
  End Sub

Open in new window

0
behteramiAuthor Commented:
Thank you every one. Appreciate it.

I am investigating/applying all these methods you guys sent to me. I'll let you know the results as soon as I can.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.