Downadup. B Worm Processing note

Last week, the company found the downadup. B Worm (also called Conficker ). After analyzing the computer with viruses, the computer room summarizes the following verifiable features:

· Create a registry key:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ applets \ "DL" = "0"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets \ "DL" = "0"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ applets \ "ds" = "0"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets \ "ds" = "0"

· Disable the following two Windows Services:
Backend smart Transmission Service (BITs): Background Intelligent Transfer Service, Standard Manual
Windows automatic update service (wuauserv): automatic update

· Create a service on the random port of the infected computer and add a rule on the local firewall to open the port (one rule name is banto)

· Visit some websites and you will see records similar to the following in the company's AC:
Visit the website: 74.208.64.145/search? Q = 17, matching URL group: this operation is allowed
Visit the website: 199.2.137.252/search? Q = 17, matching URL group: this operation is allowed

· The worm monitors DNS requests that contain strings of many antivirus software URLs and rejects them.

Therefore, for common users, we have the most convenient way to detect viruses:
Step 1: click "start", "run", enter "cmd", and click "OK" (corresponding to the traditional operating system: click "start" and "continue ", click "cmd" and click "Confirm ")
Step 2: In the pop-up black-bottom dos dialog box, enter "Ping www.symantec.com" and press ENTER
Step 3: if the result is similar to the following:
Pinging a568.d.akamai.net [63.217.8.161] with 32 bytes of data:
...... (There will be eight or nine lines later)

It indicates no poisoning
If the result is similar to the following:
Ping request cocould not find host www.symantec.com. Please check the name and try again.

Describe poisoning. Please contact the computer room in time. Professional maintenance personnel can determine whether to be poisoned based on other items.

Q: A dialog box will pop up after several minutes or tens of minutes on my page, saying my computer has the downadup. B virus (and its variants ). Is my computer poisoned?
A: No. However, your computer is a computer that has the opportunity to be infected by downadup (so you still need to contact the computer room personnel in time to prevent attacks in an all-round way), just because Symantec antivirus software has prevented further infection. On the contrary, computer viruses are not clearly indicated.

Q: which computers are vulnerable to the downadup virus?
A: computers with one of the following characteristics are vulnerable to viruses:
· No patching package: kb958644. Our WSUS system has been released.
· No firewall function: for example, the win2000 system does not have a convenient firewall function, or although it is an XP system, the firewall function is disabled.
· Open file sharing: the range of file sharing in the firewall is an increase of n times the chance of any infection. The range is in this subnet, with a lower chance of infection. It is better if file sharing is not enabled.
· No anti-virus software is installed, or the anti-virus software is not properly upgraded
· The Super User Password is empty or weak (if the computer is infected with a Super User, other computers with the same Super User Password will become dangerous)

Q: Why have I been locked over the past few days?
A: One way to spread the downadup virus is to use the current account, and add the list of passwords with them to try to access the ADMIN $ directory of other computers one by one, because the company's account policy is to lose the wrong password three times to be locked, the virus attempts the password, causing the server to lock the account. In addition, in the company's virus, it will also obtain the account of other personnel in the same group and continue to try the password.

Q: My computer cannot access the Internet. Why is my computer infected with a virus?
A: It is caused by spread of other infected computers.

Q: My computer is completely disconnected from the network. How can I be infected with the downadup virus?
A: The downadup virus is also infected by mobile storage devices. Mobile storage devices include USB flash drives, mobile hard drives, MP3, MP4, digital cameras, DV, and mobile phones.

Q: What are the dangers of downadup?
A: This is a big question for experts all over the world. No one knows who the downadup creator is. What is the purpose? But it is dangerous because it implements the Internet upgrade function, that is, it does not need to do anything in this version, but can be implemented in the next version.
Currently, its impact on the company includes:
· Frequent account locks
· Occupy a certain amount of network resources
· Concerns for users

Q: Why can't Symantec be installed on the computer after the computer is poisoned?
A: After computer poisoning, Symantec will be installed again and the virus database will be upgraded. Symantec will not be able to find any problems, but the virus is still trying to try the password, leading to the mistaken failure of Symantec.
However, a prompt message is displayed when you view Symantec's check results:
Unable to launch the program c: \ windows \ system32 \ dtwulk. dll [00000003]
If the virus is infected successfully, set the file access permission to everyone to traverse folders and run files. In this way, anti-virus software will not be able to read data for anti-virus purposes (High, I only know today that permissions can be set as well ).

Q: How can I find poisoned computers?
A: For individual users, You can ping www.symantec.com. Maintenance personnel can search for them in the following ways: the computer that is poisoned will scan the network to find other computers that are shared and open, try common propagation, password attempt, vulnerability attack, etc, therefore, capture ARP packets (not ARP spoofing packets, but arp request packets) in the CIDR Block and check which computer scans the network one by one. Generally, the computer is poisoned. We will set a monitoring site in each CIDR block. If we find a computer infected with viruses, ask our colleagues to work together to eliminate the virus.
In addition, in the AC, you can enter "/search? Q = ___, ", or"/search? Q = ____, ", how many viruses can be detected on computers that can access the Internet.

Q: What should I do with computer viruses?
A: Normally, use a normal account to copy the following files to the \ 192.168.21.75 \ d directory to the local machine:
· Kabbah downadup kill tool: kkiller.exe
· The kb958644 patch corresponding to the Operating System (this Directory includes Win2k and WINXP)
Then the network is disconnected, Super Users are started, and Kaba exclusive tool is used to scan for anti-virus.
After the removal, install the system patch (if not installed), check that the special port is not opened, Ping www.symantec.com, and change the two Disabled Services to normal (one automatic and one manual ). The Symantec Anti-Virus Software is upgraded normally. Finally, a full scan is performed to check the effect.
To enable the superuser permission, enable it.

Q: Why not use Symantec's kill tool?
A: The Symantec exclusive kill tool is too conservative after actual use:
· It takes too long to scan the entire system, instead of scanning the System32 directory.
· Failed to unlock files that are not authorized to access
· The error API is not fixed
· The svchost process is not terminated immediately.
In contrast, Kabbah has less scrubs and the effect is more obvious.

Internal poisoning history of the company
Analyze from logs:
2009-03-30
14:37:12
The first occurrence of c424 prompt w32.downadup. B virus, there is a report computer room, but thought it was only caused by the temporary directory of the email
22:28:27
The first occurrence of the GL-DN-N01 tried to spread the w32.downadup virus to c539
GL-DN-N01 poisoning may be directly connected to the Internet to test the Agricultural Bank website can not go to the reason, because the machine as a testing machine, with any exposure conditions: no anti-virus software installed, no firewall, no upgrade patch

2009-03-31
08:05:47
The first occurrence of c838 prompted mobile hard drive w32.downadup! Autorun. This day, the machine repeatedly prompts mobile hard disk.

2009-01 1
C424 prompts w32.downadup multiple times. the virus B has a Report on the computer room, but I thought it was only caused by the temporary directory of the email. Now, the analysis shows that the computer was poisoned and the scanning function was started.
In April 1, Symantec was able to kill the folder virus. It was simply identified as Trojan. dropper. It was too simple and had no name. But there are still n computers in it.

2009-02 2
GL-MS-71 was targeted, c424 continues to belong to the target, but in general there is nothing to do

2009-03 3
C424 continues to be targeted.

Three days off, OK

2009-07 7
Or c424 was targeted. In addition, we can see an angry log: c125 is frequently poisoned (Trojan. vundo, which prompts once every three seconds), but does not respond.

2009-08 8
C424 still targeted
14:26:53
The c488 attack proxyserver is recorded, that is, the w32.downadup. B Virus During the c488 period.
2009-09 9
In the morning, the system prompts that w32.downadup. B has been attacked by more computers.
The following logs have a lot of information about the w32.downadup. B virus. Here, we will not continue to retrieve logs, but convert them to my processing.

In the morning, the phone number requested to be unlocked by the locked account continued, checking that it was a c488 computer. However, after going to the computer and upgrading the anti-virus software normally, no problems were found and there were many questions. However, I did not study it in depth when I was busy. In the afternoon, the server encountered a large number of attack records and attempted password records. Now it seems that the area of virus infection has expanded.
In the evening, we analyzed system logs and found that as the number of computers online decreases, attacks would also decrease, and unsafe 17711 accounts would be disabled. Collect basic information about the core switch.

2009-04-10
The attack logs started to be active at around, that is, the infected computer started on (aluminum area ). In the morning, cut off the computer network cable in the monitoring room, through the log, Symantec killed the first computer poisoning: IN5-CNC-02, increased confidence, organize the characteristics of infected computers and attacked computers (anti-virus software versions, patch packages, operating systems, and file sharing ). In the afternoon, we caught ARP packets and found three computer viruses: GL-DN-N01, c027, c488.
In the evening, you can analyze c488, query relevant information, learn about virus-related features, and find the easiest way to detect viruses-ping the anti-virus software website. There are several layers of assurance, so you don't have to worry about virus spreading.

2009-04-11
Continue to use c488 as the specimen, sort out other characteristics of the virus, write relevant documents, and prepare for full attack at work.

AC log
none
192.168.17.157 103
192.168.17.101 113
192.168.17.157 289
192.168.11.60 77
192.168.12.127 83
192.168.13.102 96
192.168.17.101 525
192.168.17.117 177
192.168.17.118 80
192.168.17.127 92
192.168.17.151 77
192.168.17.157 345
192.168.18.51 169
192.168.21.72 92
192.168.21.76 280
192.168.22.62 79
2009-04-10
192.168.12.104 254
192.168.13.107 90
192.168.17.101 322
192.168.17.118 179
192.168.17.127 354
192.168.17.157 486
192.168.18.51 95
192.168.21.76 220
192.168.21.79 8
192.168.17.157 335
192.168.18.51 99