How to beat W32.Downadup infections - Outbreak Scenario
1) To start working, first you need to download the required patches + fix tool:
Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D.exe
2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).
3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.
4) In the batch file, you should replace the server name and shared folder name.
so, for example (run this as domain administrator):
c:\psexec @infected.txt -d -c Clean-Downadup.bat
infected.txt should contains one name/ip per line, like:
Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)
Another important points:
1) Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.
2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
Important Note: Please check the batch file before you run it on "Production Servers", becuase it will disable some features in Windows to prevent Conficker infection.
Rename "Clean-Downadup.txt" to "Clean-Downadup.bat "