Video Screencast Help

W32.Downadup.B Removal

Created: 19 Jun 2012 • Updated: 25 Jun 2012 | 13 comments

My network was affected with W32.Downadup.B, i disabled the system restore and ran the full sytem scan. but still its popup the virus affected message, I'm using symantec endpoint protection 11.0.2 in windows 2008 r2 server and win7 clients, any help. 

 

 

 

I've checked the symantec risk log virus properties to found the source computer.  then isolated the source computer after removed the virus from the source computer.  

Comments 13 CommentsJump to latest comment

pete_4u2002's picture

did you ran the scan in safe mode?

have updated the system with the latest patch?

reference: https://www-secure.symantec.com/connect/forums/conficker-malware

 

 

Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Downadup (conficker) is quite old virus. If all machines are patched and udpated with the newest virus definitions you should be safe. However, there are few things to be verified. This is well described in the following document:

Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

8) Enable Risk Tracer

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/be1edccb0e39927280257363003a2bb3?OpenDocument

Incase, we don't have Network Threat Protection Installed on Machines, then we could try NMAP (http://insecure.org/)

NOTE: NMAP is not Supported by Symantec. However, have proved to be effective.

NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Mick2009's picture

Hi smdeva,

Ensure that your network shares are secured with strong passwords and that all users have strong passwords.  That's a very effective way of stopping one of this threat's methods of infection.

symantec endpoint protection 11.0.2

As soon as this outbreak is over, upgrade away from that very old version to SEP 11 RU7 MP2.  SEP 11 MR2 has known issues and vulnerabilities.

Also: ensure that SEP's optional IPS component is being used in your network.

Please do keep this thread up-to-date with your progress!

With thanks and best regards,

Mick

cus000's picture

As mentioned by others, you'll need to cover all machine in your network. (OS patching & AV protection)

 

No shortcut to it i guess... Downadup is still king in malware world

 

Still top 10 as per last Symantec report

cemilebaşak's picture

As Mick mentioned you need to upgrade your SEP.

I faced with same issue at the begining of the Downadup issue and I solved it to upgrade my SEP. Because some futures not run on 64-bit on SEP 11.0.2.

I advice tou upgrade 12.1 ru1 mp1 as soon as possible

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Mick2009's picture

One bit of advice:

Please don't upgrade a computer that is currently under attack.  It's a bit like tearing down the fortress to build a castle in the middle of a battle.... there's a good chance that the baddies will take advantage of the time when the defences are lowered. 

If the computer is isolated and cleaned and shows no signs of infection, it's safe to upgrade at that point and add it back to the network.  

Hope this helps!

Mick

With thanks and best regards,

Mick

smdeva's picture

Thank you all for valuable suggestions., I removed the Virus.

Mick2009's picture

Is there any advice or experience that you can pass on to other admins in this situation, smdeva?  What steps or action proved most important?

(If time allows, can you also mark this thread as complete rather than "needs solution"?)

Cheers again! &: )

 

With thanks and best regards,

Mick

nash191@gmail.com's picture

Hello,

Can you please let me know the steps for removing this Virus as I am also facing this type of issue. Here I am attaching the snap shot of detected Risk. I have tries every thing but there is no result.

Request you to please help me out in this issue.

  

_Brian's picture

Don't forget to apply the patch for it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Fabiano.Pessoa's picture

Hi,

Surely this will help you

http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

Fabiano Pessoa

Systems Analyst - Forensic Expert

Fabiano.Pessoa's picture

also use this tool is from Symantec.

http://ultradownloads.com.br/download/Symantec-W32Downadup-Removal-Tool/

Fabiano Pessoa

Systems Analyst - Forensic Expert

smdeva's picture

Find out the source computer spreading the virus then isolate the computer to remove virus.to do this right click the virus then click properties in view quarantine tab.

22Aug's picture

hi,

Risk tracer will help to identify the source, have you enabled it?