MS08-067 : W32.Downadup.B

Comments

# sawan said on Thursday, January 01, 2009 10:58 AM

how to over ride on this worm . my active directory is at on risk

ksindly mail me  if you do have any suggestion at stylishsawan@hotmail.com

# Aleksandar said on Friday, January 02, 2009 3:21 AM

My company has been infected. Source of infection remains unknown. It is almost impossible to find if pc is infected unless you plug clean usb flash and then check it on other pc where vir. definitions are up to date. We have isolated two servers which spreaded this worm, but how they got infected remains mystery. Probably one of domain admin account was compromised. Since we start to work at monday 5th january, I expect a lot of fun :(

# jeanmarc said on Friday, January 02, 2009 4:46 AM

Good luck Aleksandar and sawan !

@ my work, i updated more than 70 computers to XP SP2 to avoid this particular issue.

Since i'm in a BIG intranet, i hope my IT-co-workers have done the same update on their computers...

# Alan said on Friday, January 02, 2009 6:27 AM

Need 2 things.

1) www.microsoft.com/.../MS08-067.mspx

and

2) latest symantec definition, up to 1/1/2009 ver 5.

Hope this help

# Still Broke said on Friday, January 02, 2009 7:41 PM

Fully patched systems SP3 and the latest DAT.. and still issues.

# ad said on Sunday, January 04, 2009 7:04 AM

some of my computers has been infected..plz I need a solutuion ASAP.

thanks

# jeanmarc said on Sunday, January 04, 2009 9:45 AM

Hi,

Read technical description in symantec webpage and stop the worm process then rollback manually all changes. If you can't (probably because the worm protect itself), use a "live cd" to clean your OS "offline". I recommand ERD commander from MDOP for this kind of problem, but you can also use WinPE from WAIK or any linux "live" CD.

# Jim said on Monday, January 05, 2009 7:31 AM

Not a solution for 2000 machines infected...

# jeanmarc said on Monday, January 05, 2009 10:44 AM

"Not a solution for 2000 machines infected..."

Clearly...

Good luck.

# BobtheRedSoxfan said on Monday, January 05, 2009 3:52 PM

Infected a bunch of my servers and clients, opened up ticket with Symantec, they told me that this is a new strain of the W32.Downadup.B worm and that they are working on definitions to adress it.  They didn't tell me when that would be ready.  Removal instructions are vague

# twin said on Monday, January 05, 2009 7:50 PM

we have been hit as well.

if you get a fix please send to luv_lafs"@"yahoo.com

we are covered - this is a mess

# jeanmarc said on Tuesday, January 06, 2009 7:42 AM

Hi,

For downadup.A, fsecure provide a tool :

www.f-secure.com/.../worm_w32_downadup_a.shtml

# Gt said on Tuesday, January 06, 2009 3:19 PM

just tried the tool and it did not work.

# jeanmarc said on Tuesday, January 06, 2009 3:35 PM

I just read there is a new tool, also from fsecure :

www.f-secure.com/.../00001574.html

Hope this helps

# Balazs said on Tuesday, January 06, 2009 3:55 PM

we have many 2003 server fully patched also infected uptodate symantec and not solution ... scheduled task and spread via rpc ADMIN$ all the intranet need any help

# BobtheRedSoxfan said on Tuesday, January 06, 2009 4:23 PM

Make sure EVERY system is patched and updated with current anti virus defs

download and install process explorer and look at all the rundll32 processes to help pinpoint locations

make sure it didn't piggyback with the W32.Sypbotworm virus

mine seems to be settling down

# twin said on Tuesday, January 06, 2009 7:05 PM

it will lock out accounts that have used the ADMIN$  

  share before - does a brute force to find the

  password

it will disable the BITS and Update services

then - it creates a sch task on the systems

schedule task runs as rundll.32."random name"

 you can see this service as a exe in task mgr or    

   some other proc explorer

Schedule task are name "AT"

it looks to piggy back off of serveral services (services/svcost/others)

these sch task run at random times;

 goes out and finds more systems to infect

you may clean it up but it protects itself by taking ownership to the files and then sets in the memory until the sch task kicks off - and again infects

if you can find the master - then you can prevent it from progating but its almost impossible.

we are running the most up to date av defs

we are running the most Sec Agent Cisco

# twin said on Tuesday, January 06, 2009 8:15 PM

also check here for this attribs

cd Windows\system32\

attrib *.dll | find “SHR”

# jeanmarc said on Wednesday, January 07, 2009 1:42 AM

I agree with twin,

If your system is patched, then the worm spread via admin shares and brute force attacks. You must secure your admins accounts. (look at www.symantec.com/.../writeup.jsp to see a list of stored passwords)

# Carlo Pagani said on Wednesday, January 07, 2009 4:45 AM

Quick way to kill if you are infected.

1. dir *.* /ahs in \System32 folder

2. If you see a .DLL file (not always .dll) then you are probably infected.

3. Using process explorer, search for the name you see, then close the handle of the file. If you do not find it in process explorer then it is not active yet but proceed to 4 anyway.

4. Take ownership of the file

5. Delete file

6. Check \WINDOWS\TASK for any job file that does not belong there

7. Look for Autorun.inf file in root. If there, take ownership and delete

8. Reboot

9. Enable BITS and Auto update services as the worm disables these.

10. Update windows.

# jeanmarc said on Wednesday, January 07, 2009 4:52 AM

Thanks Carlo,

On a side note, i use this registry tweak to ignore all autorun.inf files :

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@=”@SYS:DoesNotExist”

Works fine on XP & Vista.

# Ri said on Wednesday, January 07, 2009 6:58 AM

well... we have the same prob here...

we have about 50 servers and ca. 1000 clients... and this damm worm is giving us a big prob...

we patched all clients and servers with the WSUS and applied the norton fix. but the worm is still in our network.

does anybody have a final solution?

Ri

# smardu said on Wednesday, January 07, 2009 7:14 AM

No solution yet, even symrapidrelease does not solve the prbl.

Symantek SUXX . NOD32 had detected yestereday the this mf.

# Brandon said on Wednesday, January 07, 2009 12:16 PM

We are dealing with it as well, we have it contained in one of our Domains, the other is out of control. In the working domain we have been disabling system restore via VB script. Then running F-Secure, two tools for removal, against it. Rebooting the system then performing a full scan and they come up clean. The out of control Domain is reporting .dll files located in Program Files\Internet Explorer on fully patched systems. We believe it's a variant and we're working with our Symantec TAM in hopes of newer defs.

# twin said on Wednesday, January 07, 2009 1:12 PM

i have been working with this for a few days.. many 100s of systems (wkst and servers)

symantec has updated is AV defs and it will get rid of it.

just make sure "all " systems on your network is patched and updated with Defs.   trust me if you see things still attacking coming and going you have not found the root. some of this attacks will look like internal to a system or a remote attack!

make sure you shutdown task scheduler if you can!

Use SEP to disable Autorun features for USB drives

we had this and its a mess - a lot of workstations and servers, from nt4-2003! i know....some are old

if you can take out all mapped drives on a boot - this works with ADMIN$ which is what is progating the virus

Also look at ports 445-337-338 on your firewalls to see about traffic - high traffic

make sure you are running Symantec version 10 or higher or you have to do a lot of manual work!

# Cristian said on Thursday, January 08, 2009 3:57 AM

Same problem in my company. I use symantec antivirus. I`ve updated the virus def files manually by downloading them  from my home computer (infected computers cant connect to symantec or microsoft web page) and after 2 restarts its gone. good luck.

# Enjolras Marc said on Thursday, January 08, 2009 11:09 AM

The proposed solution works.

Before you do this you should disable temporary admistrative shares (mainly admin$).

If you can you should remove then definitively:

www.commentcamarche.net/.../sujet-1497-windows-xp-supprimer-les-partages-administratifs

Regards

# Aleksandar said on Thursday, January 08, 2009 12:49 PM

We are still fighting it. I tried to find evidence in registry that particular workstation is infected. Since it modify value: "CheckedValue" With data: "0" in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL, i checked most of pc's and found two with this modified entries. I hope that this twos spreaded virus through network. Since Symantec is protecting updated workstations, it reported when virus file "arrives" at \system32 folder.

I have analyzed one of infected pc's. I found 4 virus bodies with various names and extensions but the same filisize. It was interresting that there was no entries in registry that points to any of those files. Also, scheduled tasks we disabled through policy, so it was empty. The same machine was able to infect usb flash drive. I am really amazed with this virus. This just shows us that we are at high risk. What if next versions of this crap start to delete something else that restore points? Thanks and good luck guys.

# ESECAPISCE said on Thursday, January 08, 2009 2:23 PM

Hi To All we have the same problems... scince 4 days... now just now i try to disable and stop the Scheduled Task service from 30 min i didn't recive any message from Symantec pop up

I keep you informed

# smardu said on Friday, January 09, 2009 5:32 AM

Use DR. WEB scanner.

It's working.

# Zpizeman said on Friday, January 09, 2009 6:10 AM

Yup. Dr.Web does the job!

# Microsoft Web Seite nicht erreichbar - Seite 5 - MCSEboard.de MCSE Forum said on Friday, January 09, 2009 8:52 AM

Pingback from  Microsoft Web Seite nicht erreichbar - Seite 5 - MCSEboard.de MCSE Forum

# ESECAPISCE said on Friday, January 09, 2009 9:00 AM

Use GMER to find a service.... disable scheduled task start automatic update and bits.

# sandra said on Monday, January 12, 2009 10:25 PM

Conficker blocking script for ISA 2004, 2006 & TMG

Creates policies to block the conficker virus requests

www.isatools.org/.../block_conficker.vbs

# Parnox said on Monday, January 12, 2009 10:30 PM

Is DR web realy work? Hv any1 try it ?

My server got infected yesterday and now its everywere....

# Balázs said on Wednesday, January 14, 2009 5:59 AM

support.microsoft.com/.../958687

also available for xp

# chris tam said on Wednesday, January 14, 2009 11:11 PM

try use the symantec w32.downadup removal tool, it came out yesterday, i have tried on some of the servers which got infected.. it works. Let give it a try, but you all have to makesure not a single pc outside is the virus carrier, if not your Active directory server will got hit again, you could check the ad server for the ip address from security under event viewer the code should be 539, you could trace the malware from there. Hopes this help, closing the network port 445 and 139 will help but it will stop all sharing, which means printers and etc.

# George said on Monday, January 19, 2009 6:54 AM

To help identify infected machines and remove all components of this worm including the defected registry values it has changed try using Promisec Spectator www.promisec.com it will help identify any machine with the virus and remove all of its components.

They  have helped me at my company and we got rid of it completely. the problem with other symantec fixes is that some of the remnants reactivate and the problem starts all over again.

Unless you buy Promisec you can use their professional services to get an audit and clean up done

# Phil B said on Tuesday, January 20, 2009 5:15 PM

According to www.downadup.com - a guide to removing this virus - its also important to disable AutoStart; a whole new infection vector is through USB drives.

# Extremesecurity said on Friday, January 23, 2009 6:00 AM

Did Downadup/conficker attack your network? I've created a batch file for system administrators to clean/patch/cure infected systems in their networks.

check it out here:

extremesecurity.blogspot.com/.../beat-downadupconficker-like-pro-my.html