w32.downadup.b
Updated: 21 May 2010 | 6 comments
Dear All,
help me please.
In our server (windows server 2003), we already installed symantec 10.1.
but every time always detect w32.downadup.B and w32.downadup!Autorun
until now, still show up, but the action "cleaned up deletion".
I already install microsoft patch and already tried using FixDownadup.exe, but "not found"
I already update with the latest definition files
discussion Filed Under:
Comments
Hi! w32.downadup.B and w32.downadup
Hi! w32.downadup.B and w32.downadup is all on your network, they are all scattered on the clients.
i would suggest that make a policy to the clients, that will scan and clean ad delete it.
tip.. on the settings of notification change it to uncheck the display of auto-protect result dialog, then put check on terminate the process automatically and stop services automatically.
i suggest those thing because it is annoying it will pop out everytime they are detected.
hope it helps you....
Regards,
Marvin
w32.downadup - a.k.a. Conficker
Hi Doris,
w32.downadup or Conficker is a well known network worm, wich spread itself via NetBIOS service as well as RPC remote code execution service and it's really hard to catch and clean. I would suggest that you go trough the following article that is posted by Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99. I've been cleaning Conficker on big networks and I definitely can say that if you have firewall on your client machines you can clean it faster than without firewall. It basicaly attaches DLL libary to a windows system process svchost.exe or system.exe and you can verify this if you open Task Manager. Also it opens higher number of consecutive ports (above 10000) and if you open command prompt and type netstat -a you'll get 4-5 screens of opened ports to unknown domainst (it's his update mechanism). It's a network worm and if you have failed to clean more than 1 machine, all clean machines will be reinfected. So if you initiate a simultaneous scan of your machines, and clean the infection, then restart all of them and initiate another scan, this would pretty much clean the payload. But you need to follow the instructions from Symantec's article. Let me know how you are processing and may be I can help you clean the infection.
System Integration Engineer
NBice info shared Chris.
NBice info shared Chris. Microsoft updates are really necessary for reamoving a conficker from the network.
Regards'
Ajit Jha
Technical Consultant
STS
MBSA
The Microsoft Baseline Security Analyzer is very, very useful for Conficker/Downadup and other virus prevention.
It checks for weak passwords on user accounts and does a better job than Windows Update of making sure you have all your updates.
http://technet.microsoft.com/en-us/security/cc184923.aspx
Check the actual path where
Check the actual path where the worm was found. That could give you a hint. And also block the ports that downadup uses to propagate. Although I could be wrong here, the malware writers are probably looking for another port to exploit as we speak. There's a pdf in this site, I forgot where... maybe someone will post the link here for you.
“Your most unhappy customers are your greatest source of learning.”
Apply the MS08-067 patch in
Apply the MS08-067 patch in the network
Ajit
Regards'
Ajit Jha
Technical Consultant
STS
Would you like to reply?
Login or Register to post your comment.