Endpoint Protection

Any updates regarding the issue? any preventive procedures?

Hi Paul,

What is this all about??

Rgrds,
SAM

This is regarding the news i have read from cnn regarding this virus.. Symantec confirmed... Try to search about the Downadup.C worm on Symantec.

Here's the cnn news link

http://edition.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html

Info from Wikipedia

http://en.wikipedia.org/wiki/Conficker

Read for other details the  article on PC World " Symantec Warns of Worm's Return  ".

More technical details on the Symantec post : " W32.Downadup.C Digs in Deeper "   
Downadup worm is also known as :
W32.Downadup         [Symantec]
W32.Downadup.B     [Symantec]
Win32/Conficker.A     [Computer Associates]
W32/Downadup.A     [F-Secure]
Conficker.A         [Panda Software]
Net-Worm.Win32.Kido.bt    [Kaspersky]
WORM_DOWNAD.AP     [Trend]

In a short description, to prevent the potential issue:    
- Patch Update Microsoft MS08-067 KB958644 - Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
- Prevent a virus from spreading using the "AutoRun" feature (Disable AutoPlay GPO, and correct "disable Autorun registry key")
- Update Symantec AV Latest Daily Certified version

The last suggestion, in case of infected computers, there is a the Symantec called W32.Downadup Removal Tool.

The nice and long report "An Analysis of Conficker's Logic" by Phillip Porras, Hassen Saidi, and Vinod Yegneswaranon pubblished on SRI International site , is full of technical details how this worm works.



 

Already infected ? Take a look : Remove Downadup from infected computers

But remember , the most important patch to prevent infection is the Microsoft security bulletin MS08-067.

If you run protection, keep patched, etc. then there's nothing much to worry about. Those who won't patch or keep their OS up-to-date/current and who pretend "what, me worry?" will need to worry.
We're clean. And current.
Last I heard, all folks could do is speculate as there were some unknowns........ but again, patched is protected (unless we are talking Adobe products)

What about a Citrix Metaframe XP environment running on Windows 2000 Server SP4?  Any other adjustments that need to be made? 

Only 3 posts on this, wow. Wonder if it is really a threat or n ot.

I might as well check patch level.

Based on an article that I just read, Symantec seems to be ready for this "outbreak". All their products have been given the necessary definition updates awhile back. So if you are patched up and up-to-date with your virus definitions (as someone said earlier) then you can be a little bit more at ease.

This is the article I was referring to https://www-secure.symantec.com/connect/blogs/symantec-ready-conficker-downadup-yes

>>Based on an article that I just read, Symantec seems to be ready for this "outbreak". All their products have been given the necessary definition updates awhile back. <<

That's my feeling, and I'm going to trust them........ and be REALLY sure my home computers are patched via MS patches.
I'm at nearly 100% coverage here at work and only a couple PCs have defs dated older than today, and they are at this week's level anyway.
I've been auditing the heck out of things here!
SEM makes that pretty simple.

I have been auditing my network as well. All but 10 of my 100+ workstations and servers have definition March 31, 2009 and March 30, 2009 and those 10 have March 29, 2009 so I'm quite "relaxed". Keeping my eyes open and waiting.

Symantec support told me that March 6 defs can detect the virus but not sure if it can be cleaned, better to have March 22 and up for the Downadup.C worm.

C is the fairly recent version and the one that blocks the security sites.
Not that folks should not be prepared, etc.  -always err on the safe side, however, this one almost reminds me of the 1990s and the McAfee "the sky is about to fall" "press releases" where the next HUGE threat was really hyper-hyped to the press in the guise of "press releases" which were more marketing and promotional gimicks than anything. The sky never fell.
As I expected, we've not seen nor heard of a single instance of this beast from other agencies, and we were clean. This at worst would have probably downloaded and installed some SPAM bots....... not good, but I suspect little physical damage or file loss. Just a guess.......

HOWEVER, today SEP did pick up some other suspect files when a couple of our folks visited innocent web sites - in each case, it tried to create an EXE on their DESKTOP. In each case, SEP stopped it before the job was done, but the EXE was there......... or at least most of it.
Submitted two samples - only heard back on one, and the response was "this file is corrupt, restore if from a clean copy." Uh, OK, we'll reinstall the virus, sure........

I will tell ya, I've seen MORE activity in the last month to 6 weeks than I've ever seen since I started doing this 20+ years ago. I can hardly keep up with all the re-scans and follow-up forensics and all. I mean, constant alerts that someone has gotten some alert or that SEP is blocking an address because of some "malware" or attempt to install some phoney AV thing. I've never seen so much, it's escelated like crazy in the last few weeks - I have to suspect the Symantec honeypots are getting hammered. Maybe not, as MOST of these come via visits to web sites, most of them legit sites, many to do with jobs and rehab and training!