The Conficker Virus

Conficker virus

(also known as Downup, Downadup and Kido).

This virus spreads through network shares and USB drives (B and C variants). There are currently four variants (A, B, C and D) of this virus.

Symptoms of infection are:

• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
• Domain controllers responding slowly to client requests.
• Congestion on local area networks.
• Web sites related to antivirus software or the Windows Update service becoming inaccessible.
• User accounts locked out.

 

The following table can be used to check for infection as the virus blocks many security related sites.

Conficker Eye Chart

If you can not see the the three images on the first row, then your computer may be infected by Conficker.

If you can not see the images on the bottom row you may have some other Internet related problem.

 Further Information can be found at:

• http://en.wikipedia.org/wiki/Conficker
  
• http://www.confickerworkinggroup.org/wiki/
• http://www.confickerworkinggroup.org/wiki/

W32.Spybot Virus

W32.Spybot

(also known as Win32.Spybot.gen, Worm.P2P.SpyBot.gen, W32/Spybot-Fam, W32/Spybot.worm.gen, WORM_SPYBOT.GEN)

This virus spreads through network shares. There are many variants of this virus.

Symptoms of infection are:
•    Existence of registry keys as described.
•    Existence of "%WINDIR%\lsass.exe and %SYSTEMDIR%\rdriv.sys
•    Security Center and Messenger automatically getting disabled.
•    Excessive network traffic.

 

Prevention

Prevention

All windows computers should be kept upto date with Windows Updates and Symantec Antivurus Updates.

If computers are up to date with these, then they can not be infected by either of these two viruses.

NOTE: Updating an infected computer does not remove the viruses.

As a minimum the PC should have:

• Windows XP Service Pack 3 - available from DET software downloads or from your school CPC.
• Three Windows Hot fixes: KB890830-v2.9 / KB921883-x86-ENU / KB958644-x86-ENU
• SAV Virus definitions later than 14 April 2009.

 

School Computers can be connected to the CPC server to receive all windows updates and SAV updates automatically.

Instructions to connect PC's to the CPC are available from: (Intranet Only Links)

• WSUS -https://detwww.det.nsw.edu.au/it/i_apps/dmig/projects/cpc/media/wsus_webpage.pdf
• Symantec Antivirus - https://detwww.det.nsw.edu.au/it/i_apps/dmig/projects/cpc/media/sav_webpage.pdf

To Check where PC's are getting their Windows Updates from: run this script: CheckWSUS.vbs

As both of these viruses spread through the use of USB drives it is recommended to:

• Disable Autorun on removeable drives
• Regularly scan USB drives for viruses.

 To disable Autorun for removeable devices see this page.

NSW Public School Staff are entitled to install Symantec Antivirus or Symantec Endpoint on home computers. The software is available from the DET Intranet (http://antivirus.det.nsw.edu.au/- Intranet only).

The software is not available to students.

Removal Instructions

General Notes.

1. There is no single fix to these virus infections as a number of variants are active.
2. An infected computer must be disconnected from the LAN/WAN prior to patching and cleaning.
3. It is recommended to patch the machine before cleaning (if at all possible).
4. Removing System Restore points and clearing Temporary Internet Files can reduce Symantec full scan times
5. System Restore should be disabled prior to cleaning.
6. The cleaning actions should be undertaken in safe mode.
7. Multiple infections may require repeated processes of cleaning and rebooting.
8. Do not use USB memory sticks on any infected machine.An infected USB memory stick can reinfect a cleaned workstation.
9. As long as un-patched and vulnerable machines are connected to a LAN the possibility of re-infection remains high.
10. To assist prevention of further virus infection from USB drives, Auto-Run (Auto-Play) should be disabled.

Sydney Removal Tools.

• This process is only recommended to be run on Standard T4L images. It may work on other computers but no guarantees are given.
• You must be able to login as a Local Administrator.
• A working CD drive is required. If this is not possible, use a USB drivewith a read-only switch.

• Download the Sydney Region AV_RemovalToolkit from here (Note: File is 395MB).
• Expand the Zip file to your computer.
• Burn the expanded files to a CD.

At  an infected computer:

1. Remove the network Lead.
2. Start up the computer.
3. Log in as a Local Administrator.
4. Start Windows Explorer (My Computer) and browse to the CD Drive.
5. Double Click on the file "_0_StartHere.cmd". This will copy the necessary files to the computer. If XP Service Pack 3 is required it will then install Service Pack 3. Finally it will disable System Restore and Autorun. The CD can be removed once this step is completed.
6. When prompted, restart the computer in Safe Mode. To do this, as you restart your computer., press F8 after the firmware POST process completes, but before Windows displays graphical output. From the Windows Advanced Options Menu, select a safe mode option.
7. Log in as a Local Administrator.
8. Open My Computer and browse to "c:\Removal". Double Click on the file "_Step2_SRVirusRemTool.vbs".
9. This script will install the hotfixes and run the removal Tools. This step can take some time. Do not turn off the computer until it has completed.
10. When the Finished prompt appears, you may plug in the network lead and restart the computer in normal mode.
11. Carryout a Windows Update and Live Update for Symantec AntiVirus.
12. It is advised that you scan the computer using Microsoft Malicious Software Software Removal Tool and/or a full scan with Symantec. The Microsoft Malicious Software Software Removal Tool can be started by running the file “fullscan.bat” in "c:\removal".

 

If the computer is not set to receive it’s Windows updates and SAV updates from the CPC, please follow the instructions listed under Prevention.

If the above instruction fails, you could try some of the other tools listed under "Other Tools". Some of these are on the CD.

 

Other tools

Other Virus Removal Tools.

Some other tools you can try are listed here:

• Stinger. -Stinger will scan and remove a number viruses and worms.
• BDTools - removes Conficker. There is a network tool which will scan all PC's on a network.
• F-DownAdUp Removal from F-Secure.
• Conficker Removal Tool from Bit Defender
• Microsoft Malicious Software Software Removal Tool - checks your computer for infection by specific, prevalent malicious software and helps to remove the infection if it is found.

 

Other Resources

Other Resources

 

• Deployment of Microsoft Malicious Software Tool across a Network.
• Symantec Removal Tools .
• Kaspersky Free Virus Scan.
• Kaspersky Rivus Removal Tools.
• Symantec Virus Threat Explorer.
• Wikipedia Windows Virus Page.
• CERT Computer Virus Resources.

 

Note: NSW DET Staff are entitled to use Symantec Antivirus (V10) or Symantec Endpoint (V11) on home computers. The software is available from the DET Intranet (http:\\antivirus.det.nsw.edu.au - Intranet only.

The software is not available to students.The following free Anticvirus Software may be used by students.

Free Security Software

• Comodo Internet Security Suite - contains Av, and firewall software.
• Clam AV - available for Linux and Windows. The Windows version is called ClamWin.
• AVG
• Avast Home edition
• Avira
• Rising Antivirus Free Edition

 

Free Online Scanners

• ESET Online Scanner
• avast! Online Scanner
• Trend Micro Free Online Virus Scan
• Bit Defender