Endpoint Protection

 View Only

  • 1.  Downadup Again

    Posted Nov 24, 2009 06:20 AM
    Hi everybody.
    I think so i have very good experience about Downadup. But today i have a problem. Friday nigth one friend (who work in IT) said he couldn't see symantec endpoint protection in rigth side. (near clock) Now today he start up his comptuer and  we taken downadup attacks like this.

    downadup.jpg

    Than i taken his Flash Disk Drive and plug in another computer and we found donwnadup and delete.
    My OS is Wİndows 7 and all updates installed. Sep is currently update too. i did these steps.

    1- disconnect to infected computers to network area
    2- take back users domain admins membership and change password (all IT workers too)
    3- start full scan in all computers (IT and all company)

    Now i have notification there is a 2 files with infected.
    My questions is: In the notification window Computer name is my computer name but user name not. This user working IT and he is member of Domain admins.
    It means I have a attach from this user  in this computer?
    Because my another friend taken same window but User name is mine!!!
    Whats happend?
    Thanks
    Fatih


  • 2.  RE: Downadup Again

    Posted Nov 24, 2009 06:32 AM
     Looks this has come from External Drive/Flash Drive. [ Unknown Storage]
    Once it is detected it says access denied but later if you click next on the notification you see action taken as cleaned or deleted etc.
    Best thing would be to first format the Flash drive so that it doesn't infect others.

    It also drops tmp files to %temp% directory of logged in user. So make sure to cleanup your temp files in that location.





  • 3.  RE: Downadup Again

    Posted Nov 24, 2009 06:47 AM
    yes Vikram You rigth. Its came from USB Flash Drive. I scan this Drive and found autorun.inf and delete it. now flash disk not use anymore. but we have taken notifications still. Why this notification come still?
    try to connect to another pc's?
    Thanks


  • 4.  RE: Downadup Again

    Posted Nov 24, 2009 08:37 AM
     After taking out the Flash Drive when the notification comes what location does it show...sometimes notifications are delayed as well.


  • 5.  RE: Downadup Again

    Posted Nov 24, 2009 09:36 AM

    I am sorry for late reply. But i was busy to find problem. at least I found the problem. there was a 2 computer and we forgot to install sep these 2 machines. and these machines logon with domain admins users. and these two computer infected downadup and use our usernames. Thank you for reply I am happy now :)
    Thanks
    Fatih.
     



  • 6.  RE: Downadup Again

    Posted Nov 24, 2009 09:39 AM
    Great ...in Downadup the most difficult part is find the attacking computers once they are found rest becomes easier..


  • 7.  RE: Downadup Again

    Posted Jan 14, 2010 04:38 AM

    Hi everyone,

    I've been solving virus infection problems since a long time, and W32.Downadup has a complete chapter. I've added a new article called (How to beat W32.Dowandup infections - Outbreak Scenario)

    https://www-secure.symantec.com/connect/articles/how-beat-w32downadup-infections-outbreak-scenario

    If you have any comments/issues you are welcome to speak