Obliterating downadup from our network
Updated: 21 May 2010 | 9 comments
This issue has been solved. See solution.
Hi everyone,
In April, our network became infested by the downadup b worm. We took all measures that wer listed on the worms info site, and every computer and server on the network has the MS vulnerability patch on it. All computers are scanned daily, and random computers are still getting the worm appearing in the scans. The worm is removed from those computers, but then appear on a different computer another day. I thought the patch was supposed to stop the worm from spreading?
discussion Filed Under:
Comments
you have some rogue machine
you have some rogue machine on your network, unpatched machione, or virus exists on USB
what would be the best way to
what would be the best way to track down this machine using endpoint? We have 250 machines on our network and most are not accessible during work hours, so doing them all manually isnt a viable option.
https://www-secure.symantec.
https://www-secure.symantec.com/connect/forums/w32downadup
Using IPS or Risk Tracer you can find the Unpatched system
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
done that, found the main
done that, found the main attacker, but it is definately already patched...? What else could be allowing the worm to spread?
since it is a worm, there
since it is a worm, there could be another system in network that is spreading the infection
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
but this is the computer that
but this is the computer that has been the source of 22 attacks in teh last couple of months, it has to be spreading it somehow.
1. Remove this computer from
1. Remove this computer from network
2. Disable autorun on it.
3.Apply Rapid Release definitions and scan this machine in safe mode.
4. Clear out %temp% folder, C:\Windows\Temp and Temporary Internet Files ( or just delete all cookies,files etc..)
5. Enable SEP with all the features installed on it with latest Defs then connect it back to the network.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
How to beat W32.Dowandup infections - Outbreak Scenario
Hi everyone,
I've been solving virus infection problems since a long time, and W32.Downadup has a complete chapter. I've added a new article called (How to beat W32.Dowandup infections - Outbreak Scenario)
https://www-secure.symantec.com/connect/articles/how-beat-w32downadup-infections-outbreak-scenario
If you have any comments/issues you are welcome to speak
Authorized Symantec Consultant - Symantec Certified Specialist - Experts-Exchange Certified Guru
Please don't forget to mark your thread solved
If you have found the 'main'
If you have found the 'main' machine - a clean/delete/removal may not be 'deep enough' - still may be traces of it that can spawn again - you may need to rebuild the machine (drastic, but you will be sure it is clean) - if you have a PC build, should be straight forward enough?
Would you like to reply?
Login or Register to post your comment.