Individual Eleven – The World's Cyberbrain

This is spreading like wildfire, but from the tests we carried out using an infected USB stick the F-Secure tool to remove the virus does not work. It reports back to say that the virus is not detected, but during our tests when we do the same scan using the Trend Micro tool it gets picked up immediately. Until F-Secure amend their standalone scanner, I would not use it to combat this. More information on F-Secure’s tool is here. I am assuming that F-Secure are not including all variants and they need to update it.

Microsoft has also issued a new Malicious Software Removal Tool, KB article 890830, which is released regularly for removal of many viruses. However, the main one we are interested in is this:

You can deploy this quite easily across your organisation via group policy, Microsoft Systems Management Server (SMS) or any other third party software/update distribution solutions such as the one from Altiris. So far, the only products that I have encountered which can detect and delete the virus is still McAfee, NOD32 and eTrust. I am not sure about Symantec as I refuse to use a product that grinds your entire system to a halt. No news on Kaspersky either, our purchase of Kaspersky 2009 is redundant until they release a new definition file.

EDIT – McAfee VirusScan Enterprise

This gets better and better, McAfee VirusScan 7.1 DOES NOT detect conficker unfortunately, even with the latest DATs installed. We compared this to our other rig which uses VirusScan 8.5 and that detects and removes successfully. So I would suggest upgrading to the 8.5 version if you use McAfee in your organisation. The engine for 8.5 must have a better heuristic detection method.

Another thing to note is that there are (as far as I know) two versions of this worm, W32.downadup.a and W32.downadup.b. The “b” version has the added bonus of spreading via autorun.inf as described in my previous post, so whatever AV solution you use make sure that it covers both. Sophos will be investigated as a possible solution for some of our rigs, having such a large test environment at my disposal does mean I can test and roll back as many times as I want before we commit.

facebook   twitter   email  

This little gem has been plagueing corporations all over the world, thanks to a Ukranian virus writer. Something to do for those cold winter nights I suppose when you have no gas.

It acts as a botnet of sorts and once infected the machine turns into a HTTP server to spread it further. Another method of transportation is via USB drives with autorun enabled. Signs of infection include hundreds of connections to port 445 (SMB), do a netstat -on at the command prompt. Also access to admin shares are lost and other file shares could be affected.

Removal
First thing is to patch your machine with this security patch from MS: Microsoft Security Bulletin MS08-067 – Critical (KB958644)

Secondly, update your anti-virus software with the latest definitions. For a standalone removal tool, go to Trend Micro and download with the latest definition files:
Sysclean scan and removal
Latest Control Pattern file
Spyware detection and cleanup
Run sysclean.com once all files are extracted, and it will scan the current machine.

Funnily enough, we decided to go to PCWorld and buy the latest Kaspersky 2009 AV software for our standalone PCs. To our surprise it did not detect the virus at all, forums suggest the Kaspersky ruskies are working on a solution for detection and removal. Also our AV for the corporate network, eTrust by Computer Associates also did not initially detect it until a policy update was applied. According to the techs at CA, it was classed as low risk and not critical. Obviously CA were caught napping when the bulletin was released in October. Nod32 by Eset finds it quite happily without creating too much fuss, same goes for McAfee if you have the latest dats.

Information on the virus worm by McAfee

Even though they have marked this as low risk, it can be very disruptive. Losing access to file servers containing critical data for everyday operations isn’t exactly productive. I have also found the hammering of port 445 will slow your network down to a crawl as it will do this on every subnet you are connected to and try to do this for external IP addresses also.

facebook   twitter   email