help with network wide removal of virus

dunworth1

hello i have a network with 200+ pcs and five servers 4 virtual

the network is infected with a conflicker virus.

the network is secured with sophos on each pc/server.

what would the be the best way to remove this completely

sophos does detect it and cleans automatically on the pcs.
but it keeps coming back and has started to jump onto usb keys etc.

just to note that the pcs have mutable partitions (ranging from 2 up to 4) and are all joined to a domain.

any help would be appreciated

Cork24

It seems you have a big problem here.. Ghost Images come to mind here..
Let me guess your a Network Admin and you have no Vmware or Ghost Image of your OS that you can just Roll out ?


it seem the virus is not on the pcs i would say it could be hidden some where on the Server..

I feel the best thing to do is go to Each computer and Run the Virus Scanner (UNPLUG FROM THE DOMAIN),

Also it would be a good idea to run a Virus Scan on the Virtual Images that are on some computers,

This in turn should lead you to the Main code of the Virus, more or less it will be on your File Sharing Server if you have one.

if it keeps coming back its telling me its more up the Backbone then on the User level of the network

once you have the Virus gone, plug back each computer and note if the virus does come back,

by doing this you will have some angry Users who cant surf or facebook under Working hours. but its best this way as if peoples information gets to the hands of Hackers your in deep sh&* my friend.

seamus

Take one infected desktop machine and disconnect it from the network. Use your anti-virus to clean it, then monitor it to see if the virus returns. The number of partitions on the machine is irrelevant, just make sure the AV software is scanning all of them.

If the virus doesn't return, then you know that your anti-virus software is fine, but the worm is causing re-infections. In order to avoid being re-infected, you need to patch the machine. This is the key bit. The infection spreads because the machines haven't been patched.

The patch is here: http://technet.microsoft.com/en-us/security/bulletin/ms08-067

So patch the machine and reconnect it to the network. Continue to monitor it for infection. If it remains clean, then you've identified the method of removing the infection:

1. Schedule downtime for all of your servers. Disconnect them from the network (disable the net adapters on the virtual machines). Scan them, clean them and patch them, then reconnect them. Monitor for re-infection.

2. For each desktop machine, disconnect, clean, then patch. If that's not feasible you could try patching remotely, then clean & reboot, but this can be troublesome as the virus interferes with services that let you do this.

3. Once all of the desktop machines have been cleaned & patched, scan the servers again. Infected machines will likely have copied compromised files onto network shares and although the servers will not be compromised, the virus's files may still be sitting around.

4. Instruct everyone with a USB key (or external hard drive) on how to scan and clean them, or ask people to drop them up to you for cleaning. Although your network is clean, your company could look like an ass if infected files get sent to a client or supplier.

Cork24

seamus wrote: »

Take one infected desktop machine and disconnect it from the network. Use your anti-virus to clean it, then monitor it to see if the virus returns. The number of partitions on the machine is irrelevant, just make sure the AV software is scanning all of them.

If the virus doesn't return, then you know that your anti-virus software is fine, but the worm is causing re-infections. In order to avoid being re-infected, you need to patch the machine. This is the key bit. The infection spreads because the machines haven't been patched.

The patch is here: http://technet.microsoft.com/en-us/security/bulletin/ms08-067

So patch the machine and reconnect it to the network. Continue to monitor it for infection. If it remains clean, then you've identified the method of removing the infection:

1. Schedule downtime for all of your servers. Disconnect them from the network (disable the net adapters on the virtual machines). Scan them, clean them and patch them, then reconnect them. Monitor for re-infection.

2. For each desktop machine, disconnect, clean, then patch. If that's not feasible you could try patching remotely, then clean & reboot, but this can be troublesome as the virus interferes with services that let you do this.

3. Once all of the desktop machines have been cleaned & patched, scan the servers again. Infected machines will likely have copied compromised files onto network shares and although the servers will not be compromised, the virus's files may still be sitting around.

4. Instruct everyone with a USB key (or external hard drive) on how to scan and clean them, or ask people to drop them up to you for cleaning. Although your network is clean, your company could look like an ass if infected files get sent to a client or supplier.

more or less the same Idea. to fixin this issue

dunworth1

yes i have ghost images for each different setup.

all the pcs are brand new and just after being setup.
most running 2 partitions of win7
and some running a mixture of win7 vista and xp.

not my company btw. we are contracted to do I.T.

secluding downtime not really a problem as it can be done at night.

i was talking to someone and they said that it has been there for years now if only we were told about it before we started the 200 new pcs in it would have been much easier.

i might download a different virus scanner and scan the servers

Cork24

My GOD that virus has being their all the time wtf... what kind of IT company are they running...


i would recommend just download Microsoft own Anti virus.

stopping from this happen again you really cant that virus could have came in on a USB key

dunworth1

Cork24 wrote: »

My GOD that virus has being their all the time wtf... what kind of IT company are they running...


i would recommend just download Microsoft own Anti virus.

stopping from this happen again you really cant that virus could have came in on a USB key

they have one full time I.T guy.

Cork24

if i was that IT Guy i would Disable all USB ports in the Computer, and give limited about of Access to the PC for Per user.

IE if theirs a Local team of Accounting's they all they would need is access to MS Office or SAGE Accounting Software their is no need for them to have access to USB or other parts of the PC..

also look in at blocking Social Sites and Other sites other that could get virus into the Network

kkontour

Cork24 wrote: »

if i was that IT Guy i would Disable all USB ports in the Computer, and give limited about of Access to the PC for Per user.

IE if theirs a Local team of Accounting's they all they would need is access to MS Office or SAGE Accounting Software their is no need for them to have access to USB or other parts of the PC..

also look in at blocking Social Sites and Other sites other that could get virus into the Network

We had a similar outbreak
Ensure all systems are patched, and have a up to date AV.
Run the latest mrt.exe from microsoft.
I had mcafee epolicy server which would report which systems were the source of the infections. Just a matter of cleaning the reported sources.
THEN
Ensure no one is logging on as a domain admin until the infection is clear. Local admin only. That virus will infect the admin$ share
Using group policy disable usb autorun.
Hope this is of some help.

matt-dublin

Use the conficker network scan tool to find out what pcs and servers are infected

Manually run msrt on them and install the Microsoft patch to block it

I'll post the link to the conficker scanner when I find it.

Also if it's in active directory there a freeware app u can get that tells u what machine is causing the accounts to lock out.

IME it's usually only a couple of unmatched machines causing the issue

matt-dublin

as promised:
http://www.mcafee.com/us/downloads/free-tools/conficker-detection.aspx

also you post deployment and removal you should enable windows firewall on all machines.

Matt

dunworth1

matt-dublin wrote: »

as promised:
http://www.mcafee.com/us/downloads/free-tools/conficker-detection.aspx

also you post deployment and removal you should enable windows firewall on all machines.

Matt

thanks.

windows firewall is enabled on all machines

matt-dublin

You can also use this on a computer in the domain under a user with domain admin privs

http://www.netwrix.com/requeste.html?product=ale

It will tell you the ip address of machines causing account lockouts, these will be infected

dunworth1

none of the accounts are being locked out.

but i think it messed with the AD
as we had a problem with pcs not pulling down Group policys

matt-dublin

what happens when you run gpupdate /force

after reboot post up start > run then rsop
and have a look at rsop.msc

(you might want to PM the RSOP data)

M

dunworth1

matt-dublin wrote: »

what happens when you run gpupdate /force

after reboot post up start > run then rsop
and have a look at rsop.msc

(you might want to PM the RSOP data)

M

when you run gpupdate /force

it will pull down the gp

we resloved that issue though thanks.

i ran the mcafee program works great. found about 40 pcs infected this morning all cleaned.

thanks will check again in a few days to see