Hai,

We have nearly 1900 systems with Windows XP / 7 / 8 OS. Last 2 days lot of issues due to W32.Downadup.B malware. Almost 50 % systems infeteced with this malware. All the systems having some scheduled task and its sending unknown network traffic in network. I am unable to find the sample file for submitted to symantec support team.Asusual i have received the reply from support team "this is not a virus".  

I have SEP 12.2 in all the systems, now SEP detecting the malware but it showning only infected. But not removing the same and even non of the process are terminated by SEP 12.2. Now my network totally dead slow. Unable to use our application.

Can you help some one to remove this malware and how to prevent using SEP policies. I have attached the screeshot and loadpoint analysis logs for reference.

Thanks & regadrs

Rajasekaran.S

sep has IPS definition, so install all the modules.

also check this link to fight against downadup/conficker

http://www.symantec.com/docs/TECH93179

Run the removal tool from symantec

http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=3

Check some of tool

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

Eliminating viruses and security risks

Best Practices for Troubleshooting Viruses on a Network

Hello,

You can run the power eraser tool to clean the virus

http://security.symantec.com/nbrt/npe.aspx

https://support.norton.com/sp/en/us/home/current/solutions/v69675421_EndUserProfile_en_us

Run the tool and collect the log or submit to symantec security team

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

Dear Technical Specialist,

I have run the tool and generate the log also. The same i have submitted with symatntec. After submission i have received the mail , "This is not a malware"

Dear Pete,

Can you explain me how to install the IPS module.

Thanks & regards

Rajasekaran.S

Hello,

You can raised support ticket

How to Manage Support Cases Online using MySymantec (formerly MySupport)

Check some of thread same issue

https://www-secure.symantec.com/connect/forums/1-tasks-are-creating-auotmatically

https://www-secure.symantec.com/connect/forums/at1at2at15tasks-are-getting-created-automatically

when you create apackage for SEP, what all components have installed?

if IPS needs to be included you need to select while exporting package from SEPM. It will ask the features to be included , you need to select all.

Have you updated your systems with the required patches?

Hello,

Best option is that you can raise the case in Symantec. Also added the log submission detail in the case id.

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

• United States: https://support.broadcom.com (407-357-7600 from outside the United States)
• Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
• United Kingdom: +44 (0) 870 606 6000

http://www.symantec.com/support/contact_techsupp_static.jsp

Update the patches in system and update the Latest defintion on client

Check

http://msmvps.com/blogs/docxp/archive/2008/12/31/1658203.aspx

check this link to create apackage with feature set

Creating custom client installation packages in the Symantec Endpoint Protection Manager console

http://www.symantec.com/business/support/index?page=content&id=TECH102817

The key here is to make sure your systems are patched. Conficker has been around since 2008. A patch has also been available since then.

Hello,

Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

8) Enable Risk Tracer

http://www.symantec.com/docs/TECH102539

Incase, we don't have Network Threat Protection Installed on Machines, then we could try NMAP (http://insecure.org/)

NOTE 2 : *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Inaddition to this, please check the Article provided below and work upon the same.

1) Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

2) Simple steps to protect yourself from the Conficker Worm

http://www.symantec.com/docs/TECH93179

3) MS-KB  on the removal process/best practice of w32.downadup.B

http://support.microsoft.com/kb/962007

4) MS08-67 patch download [KB 958644]

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

5) Security Response blog: "Downadup: Locking Itself Out"

https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/243

Similar Threads: 

https://www-secure.symantec.com/connect/forums/w32downadupb-how-could-you-find-source-if-there-are-1k-infected

https://www-secure.symantec.com/connect/forums/w32downadupb-5

https://www-secure.symantec.com/connect/forums/account-lockdown-pertaining-domain-controller

Hope that helps!!