Endpoint Protection

 View Only

  • 1.  W32.Downadup.B infection

    Posted Jul 02, 2010 07:30 AM
    Hi, One of my SAV client wasn't have the latest defs and got infected with Downadup.B. Later I upgraded the SAV version and definitions, I can see the below error message in 7.5 recent client logs. Any idea what does this mean ?
    The present default action is to 0x22block0x22 communications - C:\WINDOWS\system32\lsass.exe

    This client was alerted in webproxy logs for continuously contacting some known malicious links


  • 2.  RE: W32.Downadup.B infection

    Posted Jul 02, 2010 07:40 AM
    Pls install KB 958644 and KB 960714 os patches in it.
    Scan it in safemode with antivirus with latest defs.
    Downadup removal tool also a very good tool for removing this virus....


  • 3.  RE: W32.Downadup.B infection

    Posted Jul 02, 2010 07:44 AM

    Title: 'Simple steps to protect yourself from the Conficker Worm'
    Document ID: 2009033012483648
    > Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648?Open&seg=ent



  • 4.  RE: W32.Downadup.B infection

    Posted Jul 02, 2010 07:58 AM
    If its one system best thing would be to re-image this system.


  • 5.  RE: W32.Downadup.B infection

    Posted Jul 02, 2010 09:56 AM

    The download.b removal tool can be found here -http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99


    Good luck,
    thomas


  • 6.  RE: W32.Downadup.B infection

    Posted Jul 02, 2010 12:37 PM

    Thanks. I ran the removal tool from Symantec Site. Now it looks like no hits from this machine. Thanks


  • 7.  RE: W32.Downadup.B infection

    Posted Jul 02, 2010 01:20 PM

    Do this !!!!

    Install NTP on all the PC's
    Do not use weak passwords.
    Do not keep open sharing.
    Export  NTP logs & check for event description :- [SID: 23179] MSRPC Server Service BO detected.  Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe
    Check the Remote IP PC.
    Login to that attacker PC go to C:\windows\system32 & search for hidden .dll
    Note :-  there should not be any .dll file hidden.
    Use fixdownadup remover & scan the PC this will remove Downadup.b virus.

    Regards...
    Ramji Iyyer



  • 8.  RE: W32.Downadup.B infection

    Posted Jul 02, 2010 05:16 PM

    Hello Joes77
    and please change first virus action to delete. not clean. And create a scheduled reports for infected pc's.
    Change administrator password complex. Check you domain admins account for weak passwords.
    I hope you can beat it. :)

    Best Regards.
    Fatih