Wednesday, January 14, 2009

w32.downadup.b prevention tool

Now is already 5:32 am 14th Jan 2009, been working since 13th Jan 2009 2pm.I just get the called from symantec.

Happily to said that, is they have come out with the prevention tools can delete the virus on the infected machine


http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

I have seen the number of the virus on the network it almost disappear.I will try this tool on 14th Jan 2009 9pm.Need to rest for the moment.:)

Sunday, January 11, 2009

W32.downadup.b prevention

Welcome 2009, I had a very headache searching for sollution to work on this, It seem to be a very bad year to me:(.

Anyway I will share my what my experience on this worm.The worm realy do a good job infect to some of my machine and how it spread you will realy amazed on it.At first it's been detected on my machine as trojan.linkoptimizer and the server and client machine keep on have the message left alone and delete.Which is some how it is quite annoying.

On the 10th Jan 2009 3pm, I had update the pattern and it detect as w32.downadup.b.Well as an administrator you will be quite sad for it.

What I had found on this worm is, when the machine is infected on serverA it will use the account on the serverA to attack other machine over the admin$.You can check this by open up the symantec console and get the time.On the window 2003 you can check on the security log you will which are the IP and username are trying to attack your machine.

Till now 11th Jan 2009 10:25pm, symantec still dont have cure for it.

For some of the administrator outside, I will like to share with you all on the prevent the server or workstation from spreading, below are some of the checklist you have to do.

When the worm attack the machine, the infected machine will have something on the AT command.You can list it by AT on the cmd.If you see anything do delete it by AT /d.If you realy need to use the task scheduler for your production, you can block the AT on the gpedit.msc

Second thing is, if you still need to run the printing services or anyshare files, I will strongly recommended you all to add the following to the registry


For server only
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer
Data Type: REG_DWORD
Value: 0

For Workstation only
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks
Data Type: REG_DWORD
Value: 0


Please dont run this on the domain controller, it will cause some issue to the client when it try to connect to domain such as change password and it will impact all the client such as win95- win98

After you had add the string to the registry, do restart the server services.Once you had done that open you cmd and type net share.You will notice the admin$ and C$ is missing and only the ipc$ which is needed.

The 3rd thing is you will need to disable the autorun on the GPO, and make sure all the client have been updated.How the virus spread is will copy the file to a map drive and create a filename autorun.inf, as usual you will know user what they will do when they want to access the files,They just double click and tada, you are infected.

The last step which is important is always patch your system to the latest security patch as well for the antivirus.Just make sure you have the KB958644 install on all the machine, for window 2003 and xp you can issue a command to check by wmic qfe findstr KB958644

If you will like to know about the packet that sent into the system, you can always download a software name as wireshark.You can download the tools from the following website http://www.wireshark.org


I hope this can help the rest of the world.Do post me a message