Worm:Win32/Conficker.B virus
Hi All,
I have Worm:Win32/Conficker.B virus in my network, I have WSUS 3.0 deploy defintion+security+critial updates to all my clients and FCS managed by Forefront Managment Console.
I deployed Microsoft Removal Malicious Software Removal Tool last version to all my client via GPO.
The worm keep showing at clients that already removed the worm. The clients are fully update, AntiVirus-AntiSpyware definition - 1.49.2577.
How to remove the worm completely from my network?
Thanks.
Todas las respuestas
- Do'nt you know what MS means. Marketing Software or More Silence.
- I have the same problem.
We have applied the steps according from this MS note:http://support.microsoft.com/?scid=kb%3Ben-us%3B962007&x=14&y=17
We have deploy all updates, including the KB958644, also ran the MSRT tool in all the machines, and other tools via GPO (symantec, kaspersky removal tool, etc).
All the clients are up to date, and we are doing a scheduled full scan everyday, and quick scan.
But the problem still there.
We have alerts for Conficker.B and Conficker.gen!.B
Any help?
Thanks a lot.
Regards,
- Hi,
this may help http://www.f-secure.com/weblog/archives/00001574.html
There is a removal tools.
Rgds, Roland
- Thanks for the link, but i tried that tool too....
I tried MSRT, Symantec, Kaspersky and F-secure.
But the conficker is still with us...
- Have you tried Combofix?
- Hi,
How about this idea, your workstations are actually clean however...
You have a workstation on the DOMAIN that is logged in as a domain administrator and therefore has rights to dump the necessary infected files directly to \\<CLIENTNAME>\ADMIN$ which is causing Forefront to go "I found a virus at C:\Windows\blah.dll
That causes a crapload of Ops Manager alerts however because FCS is on the ball, it suspends and removes the offending code.
We have the same thing here, when I find the domain admin .... :)
Rob
edit: fixed > on clientname :) - the only thing that ive found that worked about every time with conflicker is a rescue disk. you would need to take each machine offline untill its scanned and all the machines are reporting clean. and you'd need to use one from a antivirus software that has a good record with conflicker definitions. kaspersky has one on there site. you'd have to download and burn it to disk first, then boot your system into the disk and let it scan. also DrWeb has a rescue disk that does a good job on removal, also avira, and bitdefender and f-secure. im putting the links for all those here for anybody that wants to try that. the bitdefender and the kaspersky both do static updates before they scan, so id recommend those two first. http://www.freedrweb.com/livecd http://www.avira.com/en/support/support_downloads.html http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/rescue-cd/ http://kb.bitdefender.com/KB417-en--Using-the-BitDefender-Rescue-CD.html
- Any update here?
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Do you still have Exchange 2000? Looking to upgrade to Exchange 2010? Read how. What are you looking for an update for specifically? Are you still having issues with conficker and prompts regarding detecting Conficker?
If so first all like either you or someone else stated FCS is doing it's job and removing the virus when it is dropped on the box..
The thing you need to focus on here is that you still have some vulnerability that is allowing an infected machine to have admin rights over your boxes and drop the infected files on them.
Causes could be the following:
-Admin type user logged onto Conficker infected system thus giving conficker admin over other systems
-Weak password policies both on domain users as well as weak passwords on local administrator accounts
-Possibly file shares/autoruns issues
I would recommend taking a look at http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx and running through that process.
Also take a look at using either NMAP http://insecure.org/ with the conficker scan script or using Mcafee's conficker network scanning tool to scan your networks to see if any machines respond as being infected. Odds are you probably have some one-off machines like kiosks/conference room systems/pbx servers etc that are totally unmanaged that are still infected causing issues on the network.
If you have specific systems that keep getting infected you could always make use of file system auditing/process monitor/network monitor to see who/which system is creating the malware on those systems however this is typically harder to setup and can be totally random as to when the infections occur.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfaldeThanks.
Yes, I have the worm on many workstations.
Can you help me understand what kb 958644 does to help here? I keep reading that it’s a first step in combating this issue, but does it prevent the worm from propagating? What is the “remote code execution” its talking about in the article?
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Do you still have Exchange 2000? Looking to upgrade to Exchange 2010? Read how.
What are you looking for an update for specifically? Are you still having issues with conficker and prompts regarding detecting Conficker?
If so first all like either you or someone else stated FCS is doing it's job and removing the virus when it is dropped on the box..
The thing you need to focus on here is that you still have some vulnerability that is allowing an infected machine to have admin rights over your boxes and drop the infected files on them.
Causes could be the following:
-Admin type user logged onto Conficker infected system thus giving conficker admin over other systems
-Weak password policies both on domain users as well as weak passwords on local administrator accounts
-Possibly file shares/autoruns issues
I would recommend taking a look at http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx and running through that process.
Also take a look at using either NMAP http://insecure.org/ with the conficker scan script or using Mcafee's conficker network scanning tool to scan your networks to see if any machines respond as being infected. Odds are you probably have some one-off machines like kiosks/conference room systems/pbx servers etc that are totally unmanaged that are still infected causing issues on the network.
If you have specific systems that keep getting infected you could always make use of file system auditing/process monitor/network monitor to see who/which system is creating the malware on those systems however this is typically harder to setup and can be totally random as to when the infections occur.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
We have an FCS Infrastructure, and dealt with a Conficker.B issue yesterday. I have concerns with the way that FCS dealt with the propogation of the Virus.
Some machines detected the Virus, isolated and dealt with it accordingly, but others sat with the green tick, did not detect the virus !but were infected!. On these Servers, one in particular had over 40 scheduled tasks associated with Conficker, running in memory, but 4 manual full scans of the Server did not detect any problem.
The machines had up to date Antivirus definition to that morning (29/09/09), the KB958644 patch, and the FCS client Version is 1.5.1972.0.
Any thoughts on why it seeming did not adequately deal with this infection on some machines? I'm especially concerned about why it did not detect the running scheduled tasks as a threat.
Many thanks.
