Endpoint Protection

Hello,

My company is running Norton Antivirus version 10 (lates scan engine and lates virus update)...but I have few computers that keetping the w32.downadup alert message by Norton Anti Virus.

I tried the following but nothing is coming up in the detection.
1. Ran a full manual scan by Norton Antivirus.
2. Ran an online Mcafee (free virus scan).
3. Ran Microsoft Windows Malicious Software Removal Tool (KB890830).
4. Ran the W32.Downadup Removal Tool by Symantec per link below
hXXp://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
5. The registry key below does not exist:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PATH OF WORM EXECUTABLE]"


None of the above showed anything...and I am not sure what else to do since the alert prompt keeps appearing. Anyone has any ideas?

Thanks,
B

A few links that may offer some help.


https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465#A262

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648

Thomas

duplicate post, please delete, I have no idea why it happened

Hi,

here's some suggestions:

1) apply the latest patches of Microsoft in all machines, especially the one described in the MS08-067 bulletin
2) disable the Autoplay feature in all machines
3) be sure your AV is up-to-date and run full scan like a storm in all machines
4) learn how this malware works and try to stop it, it is not easy but possible

PS: the name of your antivirus software is Symantec AntiVirus 10.x.

In case you need further support you call our Tech Support to get more advices,

Regards,

Maybe some user is plugging in an infected USB drive in his or her PC or one of the PCs have the AV disabled. It would then spread like wildfire although the protected PCs will be able to handle it without any problem.

This would not be the first time, SEP reports infection from Quarantined files in the Quarantine.

Also, if you are sure the machine is clean, you could remove the alert from the SEPM console and indicate that the machine is clean.

If the problem persists and Quarantine is clean, than further investigation is needed.

The machines is up to date on all windows update and virus definition is up to date as well.

There are no USB drives attached or similiar device.

When I do run a full system scan nothing comes up.

Every few hours the Symantec Alert windows appears indicating that is had dedicated the "w32.downadup" and not the B, C, or E ones.  The Alert points to a file in C:\windows\system32\ folder which indicated that it was cleaned.

As I mentioned in first post I have tried pretty much everything but none seemed to detected...I only get the Auto Alert from Symantec Virus.

Hmm very strange. Have you tried uninstalling/reinstalling Norton Anti Virus?
Grant

Did not try yet to uninstall and reinstall Antivirus program...could the program be corrupted?

If I have a computer infected on my network with w32.Downadup...I assume that it is to eventually going to infect all computers on the network?
 
All of my users have ran virus checks, w32.dwonadup removal tools suggested by Symantec and nothing is getting detected.  Only few users are getting that annoying popup alert from symantec virus.

Any other suggestions?

Thanks,
B

Uninstall the AV is not raccomended especially when there is a clear risk of infection.
I guees these four possible situations:
1) your machines are not patched and then the worm is able to exploit your OS but the AV detect it and clean it
2) you have poor password policy, therefore some infected clients are able to send the worm to other clients
3) there are still some scheduled tasks releated to the malware
4) the malicious service created by the malware is still running

Simply download MS patch KB 958644 and install on the infected computer and reboot the computer

The machines are updated with the latest Microsoft patches and virus definitions. And still you get the alert? And there's also nothing in the registry that suggests it. This is a tough one.

To tech support, employee: When Symantec detects a malware and cleaned it. Is that different from being deleted or quarantined? My thinking is that files that is modified by malwares are the one that gets cleaned and new files added by malwares are the ones that gets deleted or quarantined.

When the Symantec Virus Alert appears...sometimes is shows "cleaned by deletion" or "cleaned" and it points to c:\windows\system32\, when it shows cleaned only I search for the file name but cannot find it.

When the Symantec Virus Alert appears...sometimes is shows "cleaned by deletion" or "cleaned" and it points to c:\windows\system32\, when it shows cleaned only I search for the file name but cannot find it.

Do i need to block a specific port on the computers or the company firewall?

You could block port 445 if there are no other applications using that. For the company firewall, the only ports that should be open are for the applications you use like web browser, instant messengers, ftp clients etc.

The link below also helps:
https://www-secure.symantec.com/connect/blogs/downadup-codex

pdf file at the bottom of the article.