Endpoint Protection

Hi mates ,

I have some problems at customer site with W32.Downadup.B virus. Infact there is no problem removing virus with latest definitions SEP 12.1.3001.165.

Agent finds the virus and cleaning it properly. But the problem is it's making it everyday and eating some cache with rundll32.exe. I curious how can i remove it

forever from my server. Every day virus appears and SEP agent is cleaning it. How could i solve this problem ?

Thank you for you kindness.

The first thing you need to do is locate the infected machine. You may have a machine on your network which is infected and trying to infect the others.

It needs to be removed and patched and a full scan run.

In your risk log in the SEPM, select the infected machine and click Details. Does it show Remote Host?

This would be the machine trying to infect it and it needs to be located and removed from the network.

Hello,

Could you check the other machine was updated with all the MS updates?

You could you do this by running the MBSA (Microsoft Baseline Security Analyzer) from the site below:

http://www.microsoft.com/download/en/details.aspx?id=19892

Make sure you have installed MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Secondly, Check this article:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Check this Thread with similar issue:

https://www-secure.symantec.com/connect/forums/conficker-malware

https://www-secure.symantec.com/connect/forums/w32downadupb-6

It is also important to understand that Antivirus software alone is not enough.

Why AntiVirus is not Enough??

https://www-secure.symantec.com/connect/articles/why-antivirus-not-enough

The Downadup Codex, Edition 2.0

https://www-secure.symantec.com/connect/blogs/downadup-codex-edition-20

Hope that helps..!!

Ty Brian for your concern.

Do you advice i have to remove machine from network or talking about removing virus ?

I'm talking about locating the infected machine so it can be removed from the network and patched/scanned.

Ty Mithun ,

I'll check all urls one by one for solution.

Ty again.

Hello,

Here is the Documentation on the W32.Downadup (Symantec) aka Conficker (Microsoft)

Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Downadup (conficker) is quite old virus. If all machines are patched and udpated with the newest virus definitions you should be safe. However, there are few things to be verified. This is well described in the following document:

Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

8) Enable Risk Tracer

http://www.symantec.com/docs/TECH102539

Incase, we don't have Network Threat Protection Installed on Machines, then we could try NMAP (http://insecure.org/)

NOTE: NMAP is not Supported by Symantec. However, have proved to be effective.

NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Similar Threads: 

https://www-secure.symantec.com/connect/forums/w32downadupb-how-could-you-find-source-if-there-are-1k-infected

https://www-secure.symantec.com/connect/forums/w32downadupb-5

https://www-secure.symantec.com/connect/forums/account-lockdown-pertaining-domain-controller

Hope that helps!!

Hello,

Brian is correct, SEP is doing its job in blocking the malware but you need to identify where it comes back from, likely an infected unprotected client in the same network which is hammering that target system.

Ok, ty Beppe

w32.Downadup.b is a vulnerability threat. Symantec would keep on detecting it till the time it is completed removed from the network.

It is important to work on plan of action steps provided by mithun as important to get the source of machine.

Article worth reading -

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Could you criticize this jpeg for me ?

I think i should suspect from 10.10.0.10 computer.

It's look like for this computer, origin of the virus which spreads to 10.10.0.97 on the network ?

Is that true approach ?

Ty all by the way for your concerning.

Hi

First of all, you rundll32 problem is caused by lots of scheduled tasks which is created by Downadup. Unfortunately SEP does not remove these schedules tasks and just remove the worm. So rundll32 launches with nothing to do, just consuming your memory. I bet you need to restart your computer after few days.

That IP (10.10.10.10) seems to be responsible but it may not be the only one. Keep checking...

You may also find out who is responsible for creating scheduled task by turning on NTFS audit log on %windir%\Tasks folder

What is the 10.10.0.10 compter? You need to remove this from the network and scan and patch.

Run the Conficker removal tool from Symantec on it. Download here:

https://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

Brian, it's windows 2003 server and it has McAfee Enterprise 8.8. I will deploy SEP agent to this machine in

these days but i have to wait my customer's domain admin, cause i'm working with him as a team. Maybe 

after deployment with SEP agent i can handle this poblem.

Ty for all advices.

At the very least, you can run Conficker removal tool on it. It wil llikely require a reboot to finish cleaning.

HI, 

Remove your machine from network and run a full scan and verify all infections are cleaned properly.

Regards

Ajin

Ty Ajin

Hi All

I have the same problem. i already do the w32.donadup removal tools from symantec. The result is the server is not infected with this malware. but as i see on the process using task manager , there is more than 10 process rundll32.exe is runing. I tried to update the patch but my environment using Win Server 2008 R2.

If there any info regarding this problem, please infomed me

thanks all

Than there has to be another machine on your network which is infected and trying to infect this machine.

Use risk tracer to determine the source of the attack and remove that machine from the network and clean/patch.

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

Hi Brian,

Is there any network issue if i'm enabling this feature??

Thanks for you help

Shouldn't be.

Hi

Please turn on NTFS Audit log for %windir%\TASKS folder. Remove all AT1.job (or similar) found on that folder and wait for it to be created again. After that you can check your security event log and find out the responsible user/computer