Endpoint Protection

Dear All,

We've 1 server with SEP 10.0.2010.25 instlled, currently those server was infected with virus named downadup. already tried with Symantec Downadup removal on yesterday but still didn't works. the virus still accours in quarantine.

Please share the best practice for removing this virus for one's who already had experience with this case.

Data's :

1. Server running with Windows Server 2003 Standard Edition sp3

2. Server installed SEP 10.0.2010.25

3. There's lot unknown schedule named at1 till at10

4. rundll32 prosess several times which takes the memory usage

5. Load Performance on CPU reach 100%

As i know this is not a new virus, but i still can't remove it.

Appreciate if i can get the anwers ASAP, many many thanks

Cheers and Regards

Wandi Budiman

Attachment(s)

Screenshot.zip   168 KB 1 version

Simple steps to protect yourself from the Conficker Worm

http://www.symantec.com/docs/TECH93179

also check the links within this link

Hi,

W32.Downadup, also known as Conficker by some news agencies and antivirus vendors, is an extremely interesting piece of malicious code and one of the most prolific worms in recent years. It has an extremely large infection base – estimated to be upwards of 3 million computers - that have the potential to do a lot of damage.

This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution

Check Symantec notes & run removal tool.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

Hello,

Here is the Documentation on the W32.Downadup (Symantec) aka Conficker (Microsoft)

Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Downadup (conficker) is quite old virus. If all machines are patched and udpated with the newest virus definitions you should be safe. However, there are few things to be verified. This is well described in the following document:

Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

8) Enable Risk Tracer

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/be1edccb0e39927280257363003a2bb3?OpenDocument

Incase, we don't have Network Threat Protection Installed on Machines, then we could try NMAP (http://insecure.org/)

NOTE: NMAP is not Supported by Symantec. However, have proved to be effective.

NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Similar Threads: 

https://www-secure.symantec.com/connect/forums/w32downadupb-how-could-you-find-source-if-there-are-1k-infected

https://www-secure.symantec.com/connect/forums/w32downadupb-5

https://www-secure.symantec.com/connect/forums/account-lockdown-pertaining-domain-controller

Hope that helps!!

1 unplug your network cable. 

2 use Symantec downadup removal tool to scan whole disk.

3 reboot and install kb958644 patch and reboot.

4 make sure downadup virus was cleaned out of your U drive or mobile disk.

5 connect your network cable.

5 scan your clients follow by step 1-3.

And everything is OK.

Excellent advice, above.... here's some additional reading to help:

Symantec.com > Business > Security Response > Security Best Practices
Symantec Endpoint Protection – Best Practices

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

The one big additional to make is that Downadup spreads by automatically trying weak, common passwords.  Strengthening passwords will often stop this threat in its tracks.

Hope this helps!!