Video Screencast Help
Search Video Help Close Back
to help

W32.Downadup.B How to prevent from it???

Created: 16 Mar 2010 | Updated: 19 Sep 2010 | 4 comments
Jack Sperow's picture
Jack Sperow Partner
0 0 Votes
Login to vote

Hi All,

w32.Downadup.B is coming in whole network. How i can do prevention from this virus. Please share it with me. i download its removal tool also but i dont think so it can be a right way.. or work.???

 

Discussion Filed Under:
,

Comments 4 CommentsJump to latest comment

VinodhRaj K's picture
VinodhRaj K
W32.Downadup.B How to prevent from it??? - Comment:16 Mar 2010 : Link

W32.Downadup is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. So applying the Microsoft patches is mandatory

 
This virus copy itself in the recycle bin, uses scheduled jobs and autorun function to load the content in memory and infect the system. It also change the registry disabling the "show hidden files" function so the operating system itself is unable to show this file to the administrator and our antivirus is unable to detect the file.
 
How to proceed after applying the patches
 
1. Disable autorun(Reference: Microsoft KB)
http://support.microsoft.com/kb/953252
 
2. Temporarily Disable the "Server" and "Computer Browser" services (if possible)
Disabling the Computer Browser and Server service on the affected systems will help protect systems from remote attempts to exploit this vulnerability.
 
3. Temporarily Disable the "Task Scheduler" service
Disabling the "Task Scheduler" will help protect systems from local attempts to use scheduled tasks to copy infected files all over the network.
 
4. Disconnect the network drives/shares(Admin$ and C$)
Then install the latest available definitions from Symantec and run a full system scan on all the machines on the network to resolve the issue.
0
Login to vote
  • Actions
AravindKM's picture
AravindKM Trusted Advisor
W32.Downadup.B How to prevent from it??? - Comment:16 Mar 2010 : Link

Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker

Best Practice for Downadup.B and Additional information on the same.

The 5 Steps of Virus Troubleshooting

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
  • Actions
reedmohn's picture
reedmohn
W32.Downadup.B How to prevent from it??? - Comment:17 Mar 2010 : Link

Apart from the guidelines given above, make sure you change the local administrator passwords on the computers. Also make sure that no other administrator accounts, or really any user account with privileges to log into many computers, have weak passwords.

If you have password problems, you will not be safe, even with all the patching and everything else.
 

0
Login to vote
  • Actions
Brian81's picture
Brian81 Trusted Advisor
W32.Downadup.B How to prevent from it??? - Comment:17 Mar 2010 : Link

First off, identify the source using the risk log in SEPM. if you select a line and hit Details, it should show you the source. Once you find the machine, get it off the network and into safe mode and run a full scan. You can also run the Conficker removal tool and apply the patch. From there, change the password of the user that Conficker is using to spread itself across the network. Then you should be good.

I'm dealing with this as we speak.

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
  • Actions