W32.Downadup.B

Out IT team has been fighting a worm outbreak for more than 13 hours now.  We are seeing the W32.Downadup.B worm spreading like a disease.  This worm exploits a Microsoft RPC vulnerability (MS08-067).  Symptoms included AD account lockouts, RPC services on servers becoming unresponsive, client machines getting pop-ups about attempts to infect them, etc.  Even machines that have the MS08-067 patch seem to be getting infected in varying degrees.

The first step was to set AD policy to not lock out accounts with too many bad password attempts.  That provided some relief.  “Fixing” a machine is a bit more difficult.  The Symantec removal instructions are not complete by any stretch.  The Windows service that gets added shows up as set to “Automatic” start but is not running.  Attempts to set it to disabled or manual are met with an access denied message.  This is because the registry settings for the service are not set to inherit permissions (and they are set to read only).

So the first thing to do is a full virus scan (with current defs).  This will usually find one DLL file in the windows system32 file that is infected (and requires a reboot to fully resolve).  Before rebooting, you need to find the service.  Open it up and get the exact (strange) name listed at the top.  Search the registry and find those “protected” keys and set them to inherit permissions.  Then you can delete the keys.  Now reboot.  When you come back up, you will need to set the Automatic Updates and BITS services back from disabled to automatic and start them.  Process and critical updates and then you SHOULD be okay.  An easy way to check is to see if you can hit the Microsoft website.  The virus blocks that access, so if it works – you are probably done.

More details later (perhaps).  I am still cleaning infections, and I drafted this in between machines while I was waiting.

5 Comments »

  1. jdbarney said,

    January 7, 2009 @ 8:29 am

    My comments above were related to Server 2003. The same thing works in XP, but you need to disable system restore before you start.

  2. your Sister said,

    January 8, 2009 @ 3:50 pm

    I hope you get it all worked out! You do great work.

  3. jdbarney said,

    January 8, 2009 @ 9:01 pm

    F-Secure has released a removal tool. See the link below for more details. Also note, it has been determined that this virus can spread by USB keys / hard drives / etc. Best to disable autorun and autoplay for now.

    http://www.f-secure.com/weblog/archives/00001574.html

  4. Ricky said,

    February 3, 2009 @ 9:38 am

    How do you know what Services to remove? I can not find any that look out of place. We have 7 Windows 2003 servers infected…

  5. jdbarney said,

    February 3, 2009 @ 8:40 pm

    Ricky –

    There are a couple of ways to find the service. But before I explain that, I would strongly suggest that you download Symantec’s removal tool. It wasn’t out at the time I wrote this post, but it is very effective when it comes to removing this worm. You can download it from Symantec at …

    http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

    How to find the service? Sort your services list by startup type. This will bring all the “automatic” startup ones to the top of the list. Scan through all the ones set to “automatic” startup. You are looking for anything with a two word name (i.e. Download Helper) that is set to Automatic and IS NOT running. Be careful because there are some legitimate windows services that meet this criteria as well (security center comes to mind). At most, you shouldn’t have more than a few. If you open the service properties and look at the name (at the very top) – services that are created by the worm will just be a bunch of random letters that don’t make much sense. Furthermore, it is likely that you will be unable to change the startup status to anything but automatic. If you try to apply the setting, it will give you an access denied message. This is because the worm has modified the permissions on the registry key that control the service.

    Okay. Anyway – much easier to use the Symantec removal tool. If it does find the infection, it will require a reboot to fully remove the virus. Also – be sure you AV defs are up-to-date and you apply the MS08-067 patch as quickly as you can. I feel you pain. We had over 100 servers that had to be cleaned and patched.

    Good luck!

RSS feed for comments on this post · TrackBack URI

Leave a Comment

Creative Commons License Creative Commons License