Conflicker/Downadup Problems

falkaholic · Dec 8, 2008

Hi,

I'm am supporting a corporate 2k/XP network with a Downadup/Conflicker outbreak.

I have a few questions/rants/theories to ask/share.

1. We have the misfortune to have Symantec anti virus 9 corporate installed. It seems to discover this worm over and over, 1 out of 4 times it say it deletes it, only to have it come back (even with the patch)

2. Some computers, mostly XP, seem to have clear of the worm but are acting very strange. To network connectivity problems to slow log-on to freezes to taskbar lock ups. My theory is the worm is trying to infect but failing- over writing the wrong memory. Causing somewhat unpredictable behavior.

3. I've read this worm closes its own security hole, if it does that, how does it re-infect computers again?

4. Our WSUS server quietly stopped working, leaving us without the patch. After patching, the virus seems to come back, anyone think this worm is tricker then described?

Corporal Punishment · Dec 10, 2008

The trojan doesn't close any security holes, at least that I know of, it does however reset the systems restore point. It also is reported to try and o connect to '0x90.devtech.us' 'getmyip.org', 'getmyip.co.uk' and 'checkip.dynsdns.org' so you may want to block those. I little hosts file should do the trick.

Nortons most recent doc here: http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3 indicates the file hides in system restore and requires a few reg values edited to get rid of it. Looks like if you miss the registry value or deleting system restore, the worm will reload. I would suspect there are others around in the file system some place, like prefetch - but that is a guess.

You'll want to start here and be very through. http://forums.majorgeeks.com/showthread.php?t=35407

Log in or Sign up

Conflicker/Downadup Problems

falkaholic Private E-2

Corporal Punishment Head of Software Shenanigans Staff Member