So someone on my network managed to get Conficker.B the other day and it is spreading to other computers on a relatively small network.
From everything I have read, the way to deal with it manually is to remove the virus, then install an MS patch.
AVG 9 is the network av and it finds the virus, but doesn't clean it well. I instead use D.exe from Symantec or dcleaner from BitDefender to clean off the virus. I reboot and then install the patch from http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
and reboot again.
In theory, that patch is supposed to prevent reinfection, but even machines fully updated with MS updates and that patch specifically installed are getting reinfected.
If it was just a machine or two, I'd image them, but it's servers as well and I would prefer to just eradicate the virus than flatten 3 or 4 servers and rebuild. All the servers affected are Windows 2003 sp2 or Windows 2003 R2 sp2. All machines are XP sp3 except my own.
My machine is Vista sp2 and I am actually running MSE instead of AVG to test it out. It actually does a much better job, but what concerns me is that on the bulletin posted above for the patch, there is none at all for Vista sp2, only Vista sp1. My computer is routinely seeing attempts every few hours to reinstall the virus, although MSE catches the threat and immediately cleans it.
I guess what I'm looking for here is help to find a way to prevent reinfection as well as track down the source itself.
As far as servers, I am Identifying them by checking the event log on the DC and finding servers that are hammering the user accounts with dictionary attacks, locking out accounts, which is really annoying.
Anyone have any ideas? Just to add, AVG identifies it as Downadup, MSE as Conficker.B, which I believe is the same thing.