Virus: locate infected machine

HKFuey
HKFuey used Ask the Experts™
on
Hi,
We have Trend Micro Installed on our network PC's. Does anyone know how I can Identify the source of the infection (see attached).
The messages are popping up on lots of PC's.
Trend-Micro.bmp
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.

Commented:
Looks like Conflicker.

See http://esupport.trendmicro.com/solution/en-us/1039145.aspx

Not sure if their advice will apply to your network system or not.
When you say "source of the infection", are you trying to establish which of the computers was infected first before it proliferated through the network (ie. find out what user opened a bad email or inserted a usb flash drive), OR do you mean as dbrunton has assumed (ie. what the actual name of the virus is)?
you can see the path in that infected column looks like C:\windows\system32\
scan that file online.
www.virustotal.com or virscan.org  you will get the name of virus then you can find more information on that virus and also removal instructions.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
We have used Wireshark to identify the IP of the machine that is proliferating the virus.

This PC is used by a machine in the Factory and is supported externally so the engineers have been called in.
Downad.AD is the Conficker Worm (as stated by dbrunton), and Mal_DownadJ is the part of it that created the scheduled task so it could execute at a scheduled time and date.
Most Valuable Expert 2013
Commented:
This is a worm using a Windows exploit that was patched some time ago. Are you using any other active AV scanning on your network?

Guide to network removal here
http://www.bdtools.net/how-to-remove-downadup.php
Most Valuable Expert 2013

Commented:
Too slow!  Good you found the culprit but still could do with closing this particular door to stop it arriving via a different route.
Good call with WireShark.  I was actually just in the process of checking out Network Sniffers after reading up again on the details of the number of URLs and Servers that it connects to/with.  I was looking for a Video on the Sophos site by their chief engineer demonstration WireShark at work so I could post back here with the link.  Seems you beat me to it ;-)
".... Good you found the culprit but still could do with closing this particular door to stop it arriving via a different route" ..... and perhaps also close the front door firmly behind or onto the person who (probably) introduced it with a USB Flash Drive, and who definitely needs to be summarily dismissed with loss of wages, pension, and company car ;-)

Author

Commented:
Thanks for the help!

If you have the same problem, try this: -
http://www.wireshark.org/download.html
Thank you HKFuey, even though I was too late in suggesting the same utility you actually used yourself to pin down the source.  Just for completeness, if anyone else happens upon this question, the Sophos video that I was originally looking for is here:
http://www.youtube.com/user/SophosLabs#p/u/48/nPKYubm7yeA
Or a better version from the Main Menu > "Adobe Reader Vulnerability Demo" here:
http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial