Conficker virus outbreak, oh the joy!

[Red Squirrel]

So at work we just got a huge outbreak.

We have McAffee so in most cases it caught it but obviously it's coming from somewhere. I found this:

http://support.kaspersky.com/wks6mp3/error?qid=208279973

I'll be pushing out that tool silently through Desktop Authority (can make it run within the next hour).

The flags I'll use are -y -s -f -n -r -j -z -l logfile

Think this will do the trick to clean it? Is there a better tool, or is that one good? Has to be silent.

I think we have this under control, but any tips are appreciated regardless. The joy of IT. The IT manager is still waiting on us to press that magical button that fixes it in 2 seconds. LOL

 

[jadams]

Bet its being spread by USB. Happened in my school. Was on every PC in the school in less than a week. The removeable student hard drives didnt help either if they were infected. It actually hosed my capstone project. Really sucked cuz it got my servers and I had no access to a good AV for a server at the time I didnt even realize it myself until I used a USB stick there and took it home and MSE blasted it.

 

[Mister Natural]

If your windows machines were up to date they wouldn't be allowing autorun on usb drives.

 

[Red Squirrel]

don't think autorun works. In fact if we try to create a file called autorun.inf it just deletes it (not sure if it's the AV that does that or what). We got it through the network most likely. We are very out of date due to all the red tape and the It manager is reactive, not preventive, so we were never allowd to patch. Fun fun. There are also lot of "island" pcs that we do not manage so who knows how/if those are protected by anything.

Now we have tons of weird print jobs coming out of all the printers! This is going to be a fun one... I got a new job elsewhere, can't wait to be out of here LOL.

 

[Cerulean]

If you used OpenDNS, OpenDNS would have stopped it from working or happening. noob. (j/k)

 

[dashpuppy]

I'm sure ill be swamped with this virus soon.

 

[Cerulean]

Serious though, I recommend you use OpenDNS on your network. They protect against DNS-based/related attacks, Conficker being one of them.

Here is something to help you get started: http://www.hlrse.net/Qwerty/cleanup.html

I recommend doing something along the lines of like http://www.joyunbound.com/2009/07/one-fits-all-solution-for-most-viriimalwarespyware-problems/ and with SUPERAntiSpyware (or whatever), and possibly giving one of those bootable AVs a go (before doing all that).

Make sure you completely uninstall AV on the machine too. Possibility that they have been nuked. Reinstall after the whole cleanup/disinfection process. It would also be wise to permanently disable Autorun on all your machines. Google for how to do it.

Never rely on just one program to disinfect your machine(s).

EDIT: Also, this is why Micro/SD kicks ***! All others were designed by retards (for not including a physical mechanical read-only lock switch).

 

[C7J0yc3]

Serious though, I recommend you use OpenDNS on your network. They protect against DNS-based/related attacks, Conficker being one of them.

Or better yet just use any form of decent IDS. I use snort at home and had conficker in my security lab just to see what it would do. snort saw the activity and shut it down pretty much right away. OpenDNS does help, but there are better alternatives.

 

[Cerulean]

Or better yet just use any form of decent IDS. I use snort at home and had conficker in my security lab just to see what it would do. snort saw the activity and shut it down pretty much right away. OpenDNS does help, but there are better alternatives.

That works too.

Custom pfSense firewall/router + Snort + OpenDNS + SB6120 = win.

 

[Red Squirrel]

This place is against open source for some reason, so I will never see anything like opendns or pfsense. It's actually pretty bad all the red tape here in general. There are so many things I would do better otherwise.

I think we isolated it to one machine though, getting some progress.

 

[-Jess-]

Good luck, Red.

After fixing Conflicker, you may want to point out to your IT Manager that 'patches and updates are released for a reason'.

Or: get a new job,

 

[Cerulean]

Good luck, Red.

After fixing Conflicker, you may want to point out to your IT Manager that 'patches and updates are released for a reason'.

And: get a new job,

Fixed.

 

[Mister Natural]

Your IT manager should be fired. Microsoft released patches in October 2008 to address the conficker virus. You might want to mention that to him...in front of his boss.

 

[Red Squirrel]

Good luck, Red.

After fixing Conflicker, you may want to point out to your IT Manager that 'patches and updates are released for a reason'.

Or: get a new job,

Both have been done. I think we're under control though.

 

[Snufykat]

Both have been done. I think we're under control though.

Not with management like that.

 

[Spooony]

aah conflicker. the worm that can sit and wait on a network. waiting on its updates like a av before it sneak by with its new updates.

heres the tool to flush it out

http://www.mcafee.com/us/downloads/free-tools/conficker-detection.aspx

 

[Jay_2]

Its a nightmare virus, I have had 3 contracts and all 3 had this virus! We now cut off all USB access unless it is 100% required (not that often)

 

[Red Squirrel]

So is that what it does, it sits dormant for a while? I kinda suspected that. We probably had it for a long time then it decided to spring into action yesterday. Monday we're like the only ones working, so we'll probably push the cleanup tool to all PCs without management knowing so we can eradicate potential other infections that may be dormant.

So can't wait to get out of that sinking ship. The only way out of there was for me to take a lower end position (same pay so I don't care) which hopefully I'll start soon. You know how some customers are just too expensive and too much hassle to keep? Well this is one of those. I don't get why my company sucks up so much to them. The contract is up soon so they'll have to play the signing game again. There will be lot of genital sucking involved in those meetings they could take minutes and make it into a porno. LOL

 

[Spooony]

So is that what it does, it sits dormant for a while? I kinda suspected that. We probably had it for a long time then it decided to spring into action yesterday. Monday we're like the only ones working, so we'll probably push the cleanup tool to all PCs without management knowing so we can eradicate potential other infections that may be dormant.

So can't wait to get out of that sinking ship. The only way out of there was for me to take a lower end position (same pay so I don't care) which hopefully I'll start soon. You know how some customers are just too expensive and too much hassle to keep? Well this is one of those. I don't get why my company sucks up so much to them. The contract is up soon so they'll have to play the signing game again. There will be lot of genital sucking involved in those meetings they could take minutes and make it into a porno. LOL

yeah it sits and wait. it has the capability to update itself from whoever created it. So it can sit on networks doing nothing for months until its creator starts to update it. To me it looked like something a anti piracy assosiation will let loose on a torrent network.

That tool will flush it out. Conflicker is a small bug compared to STUXNET.whos driver certificates were signed with JMicron Technology and Realtek digital certificates, which lets it bypass HIPS security measures, so if the malware is executed it will not be prevented by HIPS as the signature of the driver is from authorized firms.Then TDSS is one of the most complex and dangerous malicious programs categories in the world, and it continues to evolve which is scary. It makes Virut look like adware