Malware Win32/Conficker.B W32.Downadup.B

re: Malware Win32/Conficker.B W32.Downadup.B

nimdadotenc — Thu, 08 Jan 2009 18:03:05 GMT

Great article!

Lots of problem trying to ID the file that's causing the behavior (if your AV isnt picking it up), since this is being repacked and redistributed to avoid detection.

In most case it creates a scheduled task pointing right to the offending file. So check C:\windows\task and see what file its pointing, and get that file into your AV vendor for new dat files.

Thank again

re: Malware Win32/Conficker.B W32.Downadup.B

Phoenix Mudrij — Fri, 09 Jan 2009 13:48:51 GMT

We have this virus in our web. Do you know any specific removal tool for this virus? Because our AV provider doesn't have any treat for this virus.

re: Malware Win32/Conficker.B W32.Downadup.B

kfalde — Fri, 09 Jan 2009 19:19:01 GMT

No specific removal tools. Trend Micro does have a sysclean utility which is like a command line scanner you can use with their definitions which seems to be working ok in some sites.

re: Malware Win32/Conficker.B W32.Downadup.B

Jim Baine — Sat, 10 Jan 2009 02:13:06 GMT

It's a pity that MSFCS like other major end point security vendors doesn't protect against behavoural targeting threats such as the B worm.... maybe folks using MSFCS would then not be making the many calls to MS?

re: Malware Win32/Conficker.B W32.Downadup.B

Jim Baine — Sat, 10 Jan 2009 02:14:56 GMT

Great article though! I like your "context" and frankness....

re: Malware Win32/Conficker.B W32.Downadup.B

Jim Baine — Sun, 11 Jan 2009 23:19:03 GMT

The virus is actually a rootkit, therefore use GME as part of your tool kit to detect and then use uptodate virus defs to remove or follow the manual instructions on your AV/malware product vendors website....

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/GMER.shtml

re: Malware Win32/Conficker.B W32.Downadup.B

kfalde — Mon, 12 Jan 2009 02:45:15 GMT

Well as for FCS we were actually one of if not the first AV company to have any detection whatsoever for the .B variant of this. In some senses our product is very 1.0ish at times :) especially in regards to areas like working hand in hand with a firewall etc. During the last two weeks though I have worked multiple cases that included at least 4+ other major AV companies and in every case the ACL's on the files combined with the rootkit capabilities of this piece of malware were evading detection/removal. During the end of this past week however the AV companies appear to be finally catching up.

re: Malware Win32/Conficker.B W32.Downadup.B

raymundo — Mon, 12 Jan 2009 20:10:27 GMT

Anyone know how to contain the bloody virus??, I do update my PC on my network and also update the antiviral scanner, but alway show me theres someone with the virus, dos anyone hava a clue to contain or avoid more copies of ??

Thanks

re: Malware Win32/Conficker.B W32.Downadup.B

Jim Baine — Wed, 14 Jan 2009 23:31:55 GMT

Symantec has released a cleanup utility that will remove the virus from infected computers.

The Removal Tool does the following:

· Terminates the associated processes

· Deletes the associated files

· Deletes the registry values added by the threat

· Removes the scheduled jobs created by the worm

· Re-enable Windows Update

This fix will work on any computer, you don’t need to have SAV installed for it to work.

Also, the fix has been released with command line switches… we can run silently with no reboot. So we should be able to setup altiris jobs to run the fix automatically.

Please see this link for more information and a download link:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

re: Malware Win32/Conficker.B W32.Downadup.B

RBailey — Fri, 23 Jan 2009 09:55:59 GMT

Have found perhaps a variant today that nothing seems to be able to clean up. Some AV software is cleaning up the service that gets created, but is not repairing service.exe

nastly little bug.

re: Malware Win32/Conficker.B W32.Downadup.B

Extremesecurity — Fri, 23 Jan 2009 14:33:18 GMT

Did Downadup/conficker attack your network? I've created a batch file for system administrators to clean/patch/cure infected systems in their networks.

check it out here:

http://extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html

re: Malware Win32/Conficker.B W32.Downadup.B

Igoy — Thu, 19 Feb 2009 19:40:11 GMT

I found that the B Variant keeps coming back even after cleanup using Symantec FixTool. I had to to erase all of the service it registered on the Registry manually.

re: Malware Win32/Conficker.B W32.Downadup.B

tesseeb — Mon, 09 Mar 2009 21:29:42 GMT

You MUST disable System Restore on your PCs. Until we did that with a group policy, it just kept coming back. We would run the clean up tools and frequent full system scans that came back clean and it would reappear hours later. And set your AV scan defaults to delete as first attempt/quarantine second.

re: Malware Win32/Conficker.B W32.Downadup.B

tower defense — Tue, 14 Apr 2009 09:31:07 GMT

I do update my PC on my network and also update the antiviral scanner, but alway show me theres someone with the virus, dos anyone hava a clue to contain or avoid more copies of ?

re: Malware Win32/Conficker.B W32.Downadup.B

Manic — Fri, 01 May 2009 01:19:17 GMT

What passwords does it attempt? Is there a pre-defined list?

re: Malware Win32/Conficker.B W32.Downadup.B

Manic — Fri, 01 May 2009 01:19:20 GMT

What passwords does it attempt? Is there a pre-defined list?