Last couple of weeks we see more and more infections of downadap, Kido and the most known Conficker.
These virusses spread around very easy and they are now reaching the high thread level.
In this article I explain you how to find out if you are infected, how to stop the spread and how you can use Symantec to get rid of it.
First of all: are you infected?
we need to find out if we are. Follow the steps carefully to make sure you did not missed anything.
If you run Symantec endpoint or antivirus protection you see messages stating that you are infected. The antivirus isolates the virus but can not block it completely. This is because the code uses a protected system dll to run.
Messages you can see are:
- Net-Worm.Win32.Kido
- W32/Conficker.worm.gen
- Worm.Conficker
- W32.Downadup
- W32/Downadup.AL
- W32/Confick-A
- Win32/Conficker.A
- Mal/Conficker
You can also see if your computer is infected because services are not starting or you have connection problems.
Automatic updates for Microsoft or your anti-virus product repeatedly fail?
Windows Defender cannot update
Random errors about "svchost?"
Unable to browse to certain security-related web sites?
Windows services failing are unable to start?
wuauserv: Windows Automatic Update Service
BITS: Background Intelligent Transfer Service
wscsvc: Windows Security Center Service
WinDefend: Windows Defender Service
ERSvc: Windows Error Reporting Service
WerSvc: Windows Error Reporting Service
Eventually you are unable to connect to antivirus and security product domains containing the following:
cert.
sans.
bit9.
vet.
avg.
avp.
nai.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32 f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus
If this is the case probably you have the infection.
Step two: determine how the virus spreads.
The virusses spreads in four known way's:
- By exploiting an unpatched Windows PC connected to a network.
- Brute force dictionary attack against administrator password cracking a weak password.
- By an infected mapped/removable drive stick ("thumb drive").
- Using Windows scheduled tasks and Autorun to reinfect cleaned PCs.
Once it finds a victim, it:
- Copies itself into the Windows system folder (e.g. C:\Windows\System32).
- Modifies the Windows registry.
- Changes access rights and registry keys so users can't change or delete them.
- Sets itself to restart when Windows starts.
- Connects to a public IP address site (for example http://www.getmyip.org/) to find the IP address of your computer.
- Downloads modified versions of itself from a long list of web sites - based on time and date and difficult to predict.
- Starts a web server on a random port of your PC to host a copy of the modified worm.
Step three. Stop it from spreading around
I already wrote an article on that. Go to:
https://www-secure.symantec.com/connect/articles/conficker-stop-it-block-it
Read this first.
Step four. get rid of it. Clean it. destroy it.
Automatic cleaning can be done by various tools. I have very good results of the Symantec tool: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
If that does not help you have to do it manually.
This is the heaviest part. In this you need to follow the steps very carefully.
First of all you have to stop system restore. If system restore is left on, the infection will be able to start again.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Stop system restore in Windows ME: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam
Stop system restore in Windows XP, Vista and Windows 2003: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
After system restore si stopped you have to update your Symantec Antivirus to the latest level. But when you encounter problems with the automatic update you need to update the client by a Symantec antivirus console or a Symantec Endpoint protection console. The consoles are not stopped from the virus and this enables you to update your antivirus to the latest level.
At home where you probably do not have a console you have two options:
First is to use the automatic removal tools. Alway's make sure you stopped system restore!
The second method is to start your client in safe mode. In safe mode Windows will not start the service of these virusses and that enables you to update your engine and antivirus patterns.
The next step is to do a full file and system scan. make sure you have no exclusions in this. It has to be a full scan. Follow the guidelines that the fullscan gives when the infection is found.
Finnaly you have to perform a step that I do not really recommend, but it needs to be done.
NOTE: Making mistakes or other changes in the register can stop your computer from working. Only do this if you are 100% sure you understand that this can harm your computer.
To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. The link to the tool is: http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PATH OF WORM EXECUTABLE]"
Exit the Registry Editor.
Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
Last but not least:
I can never express enough how important it is to keep your antivirus patterns up to date. specially in Company's you have to make sure that your management console for your antivirus protection is completely up to date. Do not think: It will not hit on me. Once a while everybody will face this. Even the best technicians will drive crazy when an infection hits on them.
For home users: There are a lot of free antivirus programs. These antivirus programs are really good and protect you from a lot of damage.
BUT: The reason why antivirusprograms normally costs 40 to 50 dollars is because it cost a lot of time to stay up to date. The free antivirus solutions are not alway's able to prevent you from the newest infections.
If you want to be really save: Do like we do. Spend a few bucks and keep a clean machine.