Endpoint Protection

Hi,

Can anyone here experience downadup infection that keeps on creating scheduled taks.
We already run the downadup removal tool on the infected system, run full scan with the latest definitions and updated MS Windows patches on infected system but still downadup still creates new schedule task to run on certain schedule.
Your inputs are appreciated.

Thanks,
Jun

I think the virus is there on your network. Please detach all pcs from the network, run the removal tool as well the perform full scan with proper updated antivirus software by turning off System Restore Mode. Do the same action for all pcs in your network and after cleaning all please attach them to the network.

Downadup Installs a service under



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName



This service is most of the time a .dll file [We need to submit this one if not already detected by SEP]



The service uses MS task scheduler to create multiple jobs

These jobs executes a file rundll32.exe random_name.random_ext <args> at random interval

These extensions are not always .dll it could be anything [i.e. .ifs,. jpg, .tmp, .c]

In task manager we’ll see multiple rundll32.exe running

That file in most cases detected by SEP not we need to submit that file.

to submit the files go to https://submit.symantec.com/gold

I had the same proble thus i agree to Binayak

 Dont forget to patch MS -08-067 Patch at

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Run the downadup tool from symantec then pacth the pcs and also before runninbg the tool turn system restore off and dissconnect for the network
this will reomove the downadup virus

Dear All,

Upgrade the microsoft latest patches.

Regards
Viquaf

What Antivirus are you using ? SAV ? SCS ? SEP ? Norton ? 

IF you have fully patched [please confirm using Microsoft's MBSA] then

IF you are using SCS or SEP or Norton Internet Security / 360 , ensure you have the IPS signature updated to the April 2009 version.
From its log, you can see which machine is infected and attacking this machine you are working on.

Alternatively , you can run Conficker Scanner available at www.honeynet.org/node/397 and scan your network.

Good luck !

This is a vulnerability issue. Regular OS update & latest defination update will relolve this issue.

Did SEP detected any downadup infections when you run the full scan? what is the detected threat downadup.b? or c?

Please make sure you this update
Microsoft Security Update for Windows XP (KB958644). You can verify this by going to control panel, then check show updates.

Please also disable system restore, Show all hidden and system files/folders.
Double check the Recycler folder, make sure you dont have jw***.vmx files.

Hi,

Yes, the SEP detected downadup with action cleaned by deletion and downadup.b with action log only, restart processing. Does anyone have an idea on what "restart processing" action means to say?
Anyway, yes we installed Windows XP KB958644 on the systems infected and noticed that the downadup infection has just stopped. After we patched the infected system, we ran full system scan and downadup removal tool. We also disabled task sheduler on the microsoft services and deleted task schedules created by downadup. We also turned off the autoplay feature of Windows on group policy. And yes before we did the procedure, we disabled system restore on Windows XP. The question is, what if the user has a legitimate schedule task to run on specific time, how can we disable the task scheduler service? and why is that the patch required after running the downadup removal tool is not the KB958644 as required to block downadup infection.

thanks,
jun

Hi Jun,

This happened to me, "Restart Processing" you need to restart the workstation. But in my case the source was on the USB, I have to run the downadup tool and restart while the USB stick still plugged in.

I guess you can already start the task scheduler if you are sure that the infections were taken cared of. Btw, who is the owner of the tasks created by downadup? Can you double check?

As for the MS patch (KB958644), this is required even before you run the downadup removal tool was created. The patch was released on October 2008, So at least you should have this patch around November or December 2008 and would have prevented this issue.

Please check the vulnerability details here;
http://www.securityfocus.com/bid/31874