follow this discussion

https://www-secure.symantec.com/connect/forums/w32downadup

There has to be one or more computer in your network( verify, that does not have the  MS patch installed, or the symantec antivirus installed. Please verify this.

If you have the patch installed, and sav has latest definitions, on ALL your computers, downadup cannot exist in your network!!!

Check the following articles

Title: 'Simple steps to protect yourself from the Conficker Worm'
Document ID: 2009033012483648
> Web URL: http://service1.symantec.com/support/ent-security....

Title: 'Security Tip: How to Determine if a Specific Microsoft Hotfix Has been Installed?'
Document ID: 2009060114534048
> Web URL: http://service1.symantec.com/support/ent-security....

Make sure all MS patches/updates are installed.
AV software has latest definitions.

How many PCs/servers are we talking about overall?

I would disable autorun and patch each machine for Conficker.

Problem is you are already infected so if you disinfect without patching, the machine will just get re-infected.

Run the Conficker Removal Tool from Symantec:

http://www.symantec.com/security_response/writeup....

But patch the machines first

With SEP you can use risk tracer to determine the culprit so getting SEP asap would be good but obviously won't help you here

Hi Diceman,

>We are currently running Sym Antivirus Corp 8.1.0.825.

>OK when you stop laughing,

The Diceman always gets a laugh from me.  Ford Fairlane was a fun flick.  &: )    Anyway, on to W32.Downadup....

I recommend examining the SAV risk logs to see what exact action is being taken.  Are files being found and successfully removed?  And then the same computers re-infected?  Or do the logs show "partial removals?"  Or do the logs just show a number of successful Auto-Protect detections of W32.Downadup that were being stopped?

Examining those will show which computers are truly infected and which are just reporting "hey, I stopped a W32.Downadup network action!"  Isolate the computers that are truly infected by pulling their network cables.  (It's generally down to one PC somewhere that has no AV at all, and keeps trying to infect everyone else....)  These infected machines can be cleaned, one by one, by running the fixtool or the SERT LiveCD.

Get all MS patches up to date, change all passwords, take measures to protect against open network shares and autorun threats... and, definitely, get SEP with firewall and IDS components onto those computers.  Modern threats require a modern suite of protection technologies.

Keep the forum up-to-date with your progress!

Thanks and best regards,

Mick

Another thing you can do is download Nmap and scan your subnets for PCs that may be infected using the following command in Nmap:

nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>

This will show you PCs that are likely infected and need to be taken of the network and cleaned.

It sounds like even though you've patched, there is still 1 PC out there attempting to re-infect other machines.

Here is an example of the scan:

It is not a good practice to upgrade an AV program in a middle of  outbreak/infection . But I would suggest you to install SEP 11.0

In  SEP 11.There is IPS which  stops this threat and  prevents the threat from ever getting onto a computer in the first place, even if the computer has not been patched.

 
As, Symantec Antivirus 8.1 reached its End of Support Life as of January 31, 2007, as defined in the Symantec Enterprise Technical Support Policy. Therefore virus definition updates are no longer supported for this product.
 

You can also try Symantec Endpoint Recovery Tool

Title: 'How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions'
Web URL: http://service1.symantec.com/support/ent-security....

Use the risk tracer, if you have the time, i used it get rid. Also schedule some down time ( weekend ) to switch everything off, and scan in safe mode with the MRT from Microsoft, and then install the patches, the RPC vunerability patch, and the actual patch against Downadup, also good to probably run the Symantec removal tool in tandem with the MRT.

I did the above over a weekend when my network was hit by it as well, good to use the Retina scanner as well, google it.

Also - for gods sake, do not log onto any machines with domain administrative priv's, as the virus steals the kerberous ticket from you, to pass through.

Good luck

Thanks for your help guys.  Finally gone. 

Now to upgrade to EP 11.  Any tips you could give would be appreciated.  Do i need to uninstall 8.1 first?

Thanks

I think you do as SEP will not install over it. I believe SEP will only install over SAV 9.x and 10.x but nothing lower.

Also, make sure to configure SEP after install as out of the box settings are not strong enough:

Security Response recommendations for Symantec Endpoint Protection settings

http://service1.symantec.com/SUPPORT/ent-security....

Hi Diceman,

Thanks for letting the forum community know that you have successfully removed the infection from your network.  Don't forget to give the "thumbs up" to those whose advice was helpful, and to acknowledge the resolution to your thread.

As SAV 8 was an unsupported product when SEP was launched, no testing was done by Symantec to see if SEP installed over it without any issues.  It may work perfectly well or there may be trouble.  You're best off to try a few test computers and see how it goes.  To stick completely "by the book" the recommendation would be to remove SAV 8 before installing SEP. 

Thanks again,

Mick

Hi Diceman,

According to your comments, you have take the all possible steps to stop the Downadup infection but it comes again & again.

You have scan the infected machine with Symantec (D.exe) tool. Have stop the system restore before Scanning?

Yes, disable system restore as a service, and ensure you delete any of the snapshots.

Do all of this, in safe mode.