Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1657 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Infected With Confiker A and D - Unable to get rid of it

ITSUAC

Hello,

We have been using Sophos Enterprise Console and Endpoint security for sometime protecting all of our domain computers. However the last few weeks we have been overrun by the Confiker-A and Confiker-D Viruses. Sophos is picking them up and saying its cleaned them but they keep coming back on the same machines and even appearing on new machines. We have followed all of microsofts instructions and the pcs have the hotfix KB958644 and also tried differet wways of removing the virus but it is still bein persistent. Has anyone had the same problem and if so how can we get rid of it once and for all?

Many Thanks

James

:2815


This thread was automatically locked due to age.
  • 0

    Hi James,

    Thanks for posting on the forums. Have you tried the following two articles:

    http://www.sophos.com/support/knowledgebase/article/51169.html

    http://www.sophos.com/support/knowledgebase/article/61259.html

    The first describes how Conficker works, spreads, the best scanning options and how to remove it from the network. The second article shows various methods to track the source of the infection.

    I can guarantee that there'll be unprotected* machines on your network that the running and executing the Conficker virus and therefore allowing it to spread

    Note that the patch is extremely important, without it, the virus will be able to inject straight into the memory space of svchost.exe

    I hope this helps,

    Andy

    * examples of unprotected machines = Sophos not installed, the on-access not set to on-read, or disabled, the machine is out of date, etc

    :2818
  • 0

    Countless times I've come across this in our clients networks.

    I once had a client which 'reinstalled' sophos (against recommendation) on all the machines on his network to ensure all machines had Sophos.(+-200 machines)


    When he eventually listened, he realized he had ten machines without Sophos on them. They were his cctv machines.

    They had picked this up on their firewall/proxy but didnt take to much note.

    Tracking is the way to go for a scenario like this. I havent tried WireShark yet but we have used others.

    We used a free program 'Advanced Port Scanner' to scan for ports 8192, 8193 and 8194 on his IP ranges.

    All the machines that didnt repsond. either didnt have Sophos or it wasnt reporting (complying with the policy) correctly.

    (This is important as stated on the site)
    (took under 2 minutes to list the machines)

    If you have AD account lock outs there is a procedure on the Microsoft website, but there is fine print.
    We used a program called 'Account lockout Examiner' - its free aswell. You dont need to install it on the serve either :)

    This will show you which account is locked out (gives you optiont to unlock - bonus) and which machine locked it out.

    Between the 2 above programs we could narrow down the search for the ...... undesired (for polite term) machine from more than one day to 30 minutes.

    Unfortunetly it doesnt stop there. There will be other threats like this in the future.

    Ensuring Sophos is on every machine in the network will help to get eyes on what is happening.

    This might be an excellent time to install NAC to. :)

    :2835
  • 0

    Hello James,

    there's also a - unfortunately the one who started it did not give a "final report" (but maybe the school's still fighting the pest).

    Christian

    :2842
Unfiltered HTML