We knew it was only a matter of time—a client on the Test Center Lab's threat network became infected with W32.Downadup, aka Conficker.
We were happy about it, however, as It gave us a chance to witness firsthand the behavior of the malware on a client and to test one of the many Conficker-removal tools being offered.
It's tricky to diagnose 100 percent that a machine has been infected with Conficker, but the afflicted machine was displaying some classic symptoms of the latest variant:
Browser redirection: Results from Google searches redirected to pages that had nothing to do with the search results. Eventually, even the Google home page would not load, with the browser reporting the error "Navigation Canceled."
Mystery .dll errors: On bootup, before any of the startup programs loaded, nonsensical .dll errors popped up—for example "wxyghxyzing.dll could not load." After clicking through these error messages, the startup programs did load. In fact, opening any installed file, such as Microsoft's Word, caused a .dll error message to pop up, although the program would load after closing the message.
P2P program problems: Kazaa could not make a connection. Although, it's not really P2P anymore, Napster was unable to load our user profile and downloaded MP3 files.
Driver problems: A previously recognized MP3 player's drivers would not load, as was the case with USB drives.
Other issues included being unable to connect to Windows Update. The browser also was unable to connect to any of the major antimalware vendor sites. Attempting to connect to Symantec, Trend Micro or McAfee gave "Page not Found" errors, redirected us to other sites or froze the browser completely.
The browser crashed when connecting to MSN or any Windows Live service such as Hotmail.
The machine was unable to print to the default printer or select another printer when printing from an application (although we could print from the Web.)
Although we did not notice a significant slowdown of the machine's performance, the above issues were enough to render the machine almost useless.
To fix the problem, we took a few steps. First, we burned a copy of Sophos' Conficker Removal Tool onto a CD. We did this, of course, because USB drives were not being recognized. Then, we took the client completely off the network, even disabling the wireless radio, so there would be no Internet connectivity.
Next, we turned off System Restore. The machine was running Windows XP SP2 and we did not want to risk reinfection once the machine was cleaned.
We ran the Sophos tool, and sure enough, it detected Conficker. After scanning the machine, the utility also confirmed removal of the virus.
Upon reboot, we still got a few of those .dll error messages. However, everything seemed to be OK with Web browsing. We could also now load Napster and Kazaa. Printing services were resumed and the machine was able to recognize USB drives. Connecting to Windows Update was a go.
The Sophos Tool seemed to do the trick. Any resulting problems may be because the Conficker infection gave an entryway for adware or scumware to get on the machine. At least at this point we can run in-depth security software for a deeper analysis.
Since Sophos' utility worked for us, we could not test other Conficker fix-its. However, we are getting some good feedback on the following other on-the-fly removal utilities: Avert Stinger Tool for Removing conficker and Symantec's W32.Downadup Removal Tool.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
