Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Obliterating downadup from our network

  • 1.  Obliterating downadup from our network

    Posted Nov 24, 2009 06:30 AM
    Hi everyone,

    In April, our network became infested by the downadup b worm. We took all measures that wer listed on the worms info site, and every computer and server on the network has the MS vulnerability patch on it. All computers are scanned daily, and random computers are still getting the worm appearing in the scans. The worm is removed from those computers, but then appear on a different computer another day. I thought the patch was supposed to stop the worm from spreading?


  • 2.  RE: Obliterating downadup from our network

    Posted Nov 24, 2009 06:41 AM
    you have some rogue machine on your network, unpatched machione, or virus exists on USB


  • 3.  RE: Obliterating downadup from our network

    Posted Nov 24, 2009 06:42 AM
    what would be the best way to track down this machine using endpoint? We have 250 machines on our network and most are not accessible during work hours, so doing them all manually isnt a viable option.


  • 4.  RE: Obliterating downadup from our network

    Posted Nov 24, 2009 06:46 AM
     https://www-secure.symantec.com/connect/forums/w32downadup

    Using IPS or Risk Tracer you can find the Unpatched system


  • 5.  RE: Obliterating downadup from our network

    Posted Nov 24, 2009 06:56 AM
    done that, found the main attacker, but it is definately already patched...? What else could be allowing the worm to spread?


  • 6.  RE: Obliterating downadup from our network

    Broadcom Employee
    Posted Nov 24, 2009 06:59 AM
    since it is a worm, there could be another system in network that is spreading the infection


  • 7.  RE: Obliterating downadup from our network

    Posted Nov 24, 2009 07:02 AM
    but this is the computer that has been the source of 22 attacks in teh last couple of months, it has to be spreading it somehow.


  • 8.  RE: Obliterating downadup from our network
    Best Answer

    Posted Nov 24, 2009 08:39 AM
     1. Remove this computer from network
    2. Disable autorun on it.
    3.Apply Rapid Release definitions and scan this machine in safe mode.
    4. Clear out %temp% folder, C:\Windows\Temp and Temporary Internet Files ( or just delete all cookies,files etc..)
    5. Enable SEP with all the features installed on it with latest Defs then connect it back to the network.


  • 9.  RE: Obliterating downadup from our network

    Posted Jan 14, 2010 04:38 AM

    Hi everyone,

    I've been solving virus infection problems since a long time, and W32.Downadup has a complete chapter. I've added a new article called (How to beat W32.Dowandup infections - Outbreak Scenario)

    https://www-secure.symantec.com/connect/articles/how-beat-w32downadup-infections-outbreak-scenario

    If you have any comments/issues you are welcome to speak


     



  • 10.  RE: Obliterating downadup from our network

    Posted Jan 14, 2010 06:39 AM
    If you have found the 'main' machine - a clean/delete/removal may not be 'deep enough'  - still may be traces of it that can spawn again - you may need to rebuild the machine (drastic, but you will be sure it is clean) - if you have a PC build, should be straight forward enough?