Solved

Virus: locate infected machine

Posted on 2011-09-06
11
701 Views
Last Modified: 2012-05-12
Hi,
We have Trend Micro Installed on our network PC's. Does anyone know how I can Identify the source of the infection (see attached).
The messages are popping up on lots of PC's.
Trend-Micro.bmp
0
Comment
Question by:HKFuey
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Looks like Conflicker.

See http://esupport.trendmicro.com/solution/en-us/1039145.aspx

Not sure if their advice will apply to your network system or not.
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
When you say "source of the infection", are you trying to establish which of the computers was infected first before it proliferated through the network (ie. find out what user opened a bad email or inserted a usb flash drive), OR do you mean as dbrunton has assumed (ie. what the actual name of the virus is)?
0
 
LVL 9

Expert Comment

by:Ashok Dewan
Comment Utility
you can see the path in that infected column looks like C:\windows\system32\
scan that file online.
www.virustotal.com or virscan.org  you will get the name of virus then you can find more information on that virus and also removal instructions.
0
 

Assisted Solution

by:HKFuey
HKFuey earned 0 total points
Comment Utility
We have used Wireshark to identify the IP of the machine that is proliferating the virus.

This PC is used by a machine in the Factory and is supported externally so the engineers have been called in.
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
Downad.AD is the Conficker Worm (as stated by dbrunton), and Mal_DownadJ is the part of it that created the scheduled task so it could execute at a scheduled time and date.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 250 total points
Comment Utility
This is a worm using a Windows exploit that was patched some time ago. Are you using any other active AV scanning on your network?

Guide to network removal here
http://www.bdtools.net/how-to-remove-downadup.php
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
Too slow!  Good you found the culprit but still could do with closing this particular door to stop it arriving via a different route.
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
Good call with WireShark.  I was actually just in the process of checking out Network Sniffers after reading up again on the details of the number of URLs and Servers that it connects to/with.  I was looking for a Video on the Sophos site by their chief engineer demonstration WireShark at work so I could post back here with the link.  Seems you beat me to it ;-)
0
 
LVL 38

Assisted Solution

by:Insignificant Volunteer
Insignificant Volunteer earned 250 total points
Comment Utility
".... Good you found the culprit but still could do with closing this particular door to stop it arriving via a different route" ..... and perhaps also close the front door firmly behind or onto the person who (probably) introduced it with a USB Flash Drive, and who definitely needs to be summarily dismissed with loss of wages, pension, and company car ;-)
0
 

Author Closing Comment

by:HKFuey
Comment Utility
Thanks for the help!

If you have the same problem, try this: -
http://www.wireshark.org/download.html
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
Thank you HKFuey, even though I was too late in suggesting the same utility you actually used yourself to pin down the source.  Just for completeness, if anyone else happens upon this question, the Sophos video that I was originally looking for is here:
http://www.youtube.com/user/SophosLabs#p/u/48/nPKYubm7yeA
Or a better version from the Main Menu > "Adobe Reader Vulnerability Demo" here:
http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now