Conficker-A / B Network Wide Infection
Closed     Case # 10009     Affiliated Job:  New Trier Township District 2031
Opened:  Monday, February 1, 2010     Closed:  Thursday, February 11, 2010
Total Hit Count:  29751     Last Hit:  Wednesday, December 11, 2024 11:57:43 AM
Unique Hit Count:  7543     Last Unique Hit:  Wednesday, December 11, 2024 11:57:43 AM
Case Type(s):  Helpdesk, Development, Server
Case Notes(s):  All cases are posted for review purposes only. Any implementations should be performed at your own risk.

Problem:
Despite our Sophos Enterprise deployment, the Conficker virus penetrated and was introduced into our environment sometime around December or January. Helpdesk tried to battle this infestation; however, due to many systems not having Sophos installed or problems with the installation; the virus outbreak spread across the entire network. It appears the virus remains in the local subnet that it exists and therefore the servers remained unaffected.

On-Access scanning was enabled and Windows XP SP3 was installed across the network; therefore, the effects of the virus were disabled, but the spreading could occur for those machines without Sophos. The virus spreads by trying to place a file into the Windows directory via an infected machine to a remote machine on the same subnet across the network. It also attempts to create scheduled tasks forcing the new file to run at various time intervals. Having On-Access scanning enabled permits the clean machines to remain clean; but if the machine is already infected, a full scan is required.

Action(s) Performed:
Total Action(s): 1
Action # Recorded Date Type Hit(s) User Expand Details
10038 2/11/2010 2:43:33 PM Development 3966 contact@danieljchu.com Our first step was to gather information about the machines without Sophos,  More ...

Resolution:
Among the actions taken, the most useful action was to force run the "Microsoft Windows Malicious Software Removal Tool." We did this through the Logon Script which does the following:
-   Copies the mrt.exe locally
-   Runs the mrt.exe scan
-   Checks the final log create by the mrt scan for "Threat detected:"
   o   If found, the log is copied out to the server into a "01-VirusFound" folder - also, if the words "the system needs to be restarted." is found in the log, the user is prompted to reboot
   o   Otherwise it is either placed into "02-NoVirusFound" or "03-CouldNotRun" dependent on the success of the scan

This script runs in the background without the user ever knowing and these logs help to identify the machines requiring further attention. Using these reports we could determine the machines with or without Sophos and also identify the ones infected, possibly indicating the antivirus agent would need installed on that system.

Code to Run MRT Scan [RunMRT.cmd]:
@ECHO OFF
ECHO Processing Microsoft's Malicious Software Removal Tool...

C:
CD\WINDOWS\DEBUG
type mrt.log >> mrt.org
del /F /Q mrt.log
del /F /Q mrt.txt

C:
CD %USERPROFILE%\Local Settings\TempMKDIR MRTSCAN
CD MRTSCAN
del /F /Q mrt*.*
COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\Sleep.exe
COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\logon-scan\mrt.exe mrtv34.exe

SET PATH=%PATH%;%USERPROFILE%\Local Settings\Temp\MRTSCAN;

IF EXIST "%USERPROFILE%\Local Settings\Temp\MRTSCAN\mrtv34.exe" ( GOTO CONTINUE01 ) ELSE ( GOTO CONTINUE02 )

:CONTINUE01
call Sleep.exe 5
Start /wait mrtv34.exe /q

:CONTINUE02
REM del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log
del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log
del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log

C:
CD\WINDOWS\DEBUG
ECHO ----* > mrt.txt
ECHO Scan Run By: %USERNAME% completed at %DATE%, %TIME% >> mrt.txt
ECHO ----* >> mrt.txt
type mrt.log >> mrt.txt
type mrt.txt >> mrt.org
del /F /Q mrt.log

IF EXIST "C:\WINDOWS\DEBUG\mrt.txt" ( GOTO CONTINUE03 ) ELSE ( GOTO CONTINUE04 )

:CONTINUE03

findstr /n /c:"Threat detected:" "C:\WINDOWS\DEBUG\mrt.txt"
IF %errorlevel%==0 (
copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log

findstr /n /c:".*the system needs to be restarted." "C:\WINDOWS\DEBUG\mrt.txt"
IF %errorlevel%==0 (
> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO ON ERROR RESUME NEXT
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Dim Answer
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Set wshShell = CreateObject( "WScript.Shell" ^)
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Answer = MsgBox ( "A scan performed at logon has discovered & cleaned" ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "a virus found on this machine [%COMPUTERNAME%]." ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Please reboot at your next opportunity, to reboot" ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "now click 'Yes.' Otherwise, to reboot later, simply click 'No.'" ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Thank you for your assistance! - NTHS Help Desk.", 4, _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "New Trier: Help Desk" ^)
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO If Answer = 6 Then wshShell.Run "shutdown -r -f -t 20", 0, false
WSCRIPT.EXE "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs"
DEL /F /Q "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs"
)

) ELSE (
copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log
)

del /F /Q mrt.txt

GOTO END

:CONTINUE04

IF EXIST "C:\WINDOWS\DEBUG\mrt.log" (
ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
type %windir%\debug\mrt.log >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
) ELSE (
IF EXIST "C:\WINDOWS\DEBUG\mrt.org" (
ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
type %windir%\debug\mrt.org >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
) ELSE (
ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO mrt.log, .txt or .org file does not exist >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
)
)

:END



Profile IMG: Footer Left Profile IMG: Footer Right