Endpoint Protection

Dear Team,

I having issue in some of the system when user log in their Domain A/C keeps on locking . I remember their is virus who do this behaviour can you help me to know the virus and repair tool .

Hi,

That is downadup worm.

Check the threat writeup, tool also available in the link

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

check the steps to fight against this threat

http://www.symantec.com/business/support/index?page=content&id=TECH93179

Hi zubair yes it is the Downadup worm.

and you can use the Downadup removal tool D.exe from the link above.

However just running this tool will not be enough make sure you have the MS patch applied on those affected clients.

Make SEP is installed and up to date with NTP enabled.

Also check if it is Downadup worm then which variant is it because there are quite a few variants of it.

Most Importantly

It might be something else as well like some startup script or that account being used in some script with old password.

Analyze the security logs (eventviewer) of the machine to check who and why is trying to connect using that account.

Hello,

Check the Following Article from Symantec and Microsoft which answers all your Questions:

1) Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/b...

2) Security Response blog: "Downadup: Locking Itself Out"

https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/243

3) A good public reference to Active Directory auditing can be found on Technet: "Auditing Policy"

http://technet.microsoft.com/en-us/library/cc779526.aspx

4) Another good Microsoft resource: Account Lockout and Management Tools. There is one tool, ALockout.dll, which can help identify the process which is supplying incorrect credentials. This may be useful in finding suspicious files to submit to Security Response.

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

If your users and computers are members of an Active Directory domain (which is likely in an enterprise environment):
 
1) Please check the user account's status in Active Directory Users and Computers. The user account may be displayed as locked. Unlocking it from this administrative console is a simple task. Once the user account is unlocked, they should be able to log in to their computer.

2) Attempt to log in as a different user (another valid user account on the domain, or perhaps the administrator).

3) Attempt to log into the local computer rather than using the domain credentials.

In all these cases: as soon as the user has access to the computer, they should download the latest antivirus definitions, isolate the computer from the network and perform a full system scan.

Hello,

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

*ALL means ALL client machines and server machines (make sure you don't miss any machine)

Inaddition to this, please check the Article provided below and work upon the same.

1) Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

2) Simple steps to protect yourself from the Conficker Worm

http://www.symantec.com/business/support/index?page=content&id=TECH93179&locale=en_US