Conficker-A / B Network Wide Infection
Closed     Case # 10009     Affiliated Job:  New Trier Township District 2031
Opened:  Monday, February 1, 2010     Closed:  Thursday, February 11, 2010
Total Hit Count:  12619     Last Hit:  Monday, October 16, 2017 8:00:31 PM
Unique Hit Count:  3165     Last Unique Hit:  Monday, October 16, 2017 8:00:31 PM
Case Type(s):  Helpdesk, Development, Server
Case Notes(s):  All cases are posted for review purposes only. Any implementations should be performed at your own risk.

Problem:
Despite our Sophos Enterprise deployment, the Conficker virus penetrated and was introduced into our environment sometime around December or January. Helpdesk tried to battle this infestation; however, due to many systems not having Sophos installed or problems with the installation; the virus outbreak spread across the entire network. It appears the virus remains in the local subnet that it exists and therefore the servers remained unaffected.

On-Access scanning was enabled and Windows XP SP3 was installed across the network; therefore, the effects of the virus were disabled, but the spreading could occur for those machines without Sophos. The virus spreads by trying to place a file into the Windows directory via an infected machine to a remote machine on the same subnet across the network. It also attempts to create scheduled tasks forcing the new file to run at various time intervals. Having On-Access scanning enabled permits the clean machines to remain clean; but if the machine is already infected, a full scan is required.

Action(s) Performed:
Total Action(s): 1
Action # Recorded Date Type Hit(s) User Expand Details
10038 2/11/2010 2:43:33 PM Development 1680 contact@danieljchu.com Our first step was to gather information about the machines without Sophos,  Collapse ...
Last Hit: Monday, October 16, 2017 7:49:59 PM

Our first step was to gather information about the machines without Sophos, I developed the script which was run at computer startup on each workstation through group policies to diagnosis and record the machines without Sophos installed. These log files allowed us to identify which machines needed direct attention. Also, in the Sophos Enterprise manager, we could review the systems requiring attention. Mostly these were machines with Sophos installed and were reporting that networked machines were attempted to write an infected file to the local hard disk. These machines remain unaffected because of the On-Access scanning protecting the machine from reading & writing of infected files. Also, all settings of Sophos Enterprise console were reviewed and among adjustments made, scanning of removable drives was enabled.

The next step was to deploy a new group policy, for workstations only, to disable access to Scheduled Tasks & disable auto play (KB962007)

Code to Check for Sophos [sophos.bat (1 or 2) (Text to Display)]:
@ECHO OFF

SET vPassVar01=%1
SET vPassVar02=%2

FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET CDATE=%%B
FOR /F "TOKENS=1,2 eol=/ DELIMS=/ " %%A IN ('DATE/T') DO SET mm=%%B
FOR /F "TOKENS=1,2 DELIMS=/ eol=/" %%A IN ('echo %CDATE%') DO SET dd=%%B
FOR /F "TOKENS=2,3 DELIMS=/ " %%A IN ('echo %CDATE%') DO SET yyyy=%%B
SET USEDATE=%mm%%dd%%yyyy%

IF %vPassVar01%==1 ECHO Logging Computer Logon to Workstation: %COMPUTERNAME%
IF %vPassVar01%==2 ECHO Logging User Logon to Workstation: %COMPUTERNAME%
ECHO On: %DATE%
ECHO By User: %USERDOMAIN%/%USERNAME%
ECHO Logon Server: %LOGONSERVER%

IF EXIST "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" GOTO CONTINUE
IF EXIST "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" GOTO CONTINUE

ECHO %DATE%,%TIME%,%vPassVar02%,%USERDOMAIN%,%LOGONSERVER%,%COMPUTERNAME%,%USERNAME% >> "\\[SERVERNAME]\MachinesWOSophos$\%COMPUTERNAME%.txt"
GOTO END

:CONTINUE
IF EXIST "\\[SERVERNAME]\MachinesWOSophos$\%COMPUTERNAME%.txt" del "\\[SERVERNAME]\MachinesWOSophos$\%COMPUTERNAME%.txt"

:END

Resolution:
Among the actions taken, the most useful action was to force run the "Microsoft Windows Malicious Software Removal Tool." We did this through the Logon Script which does the following:
-   Copies the mrt.exe locally
-   Runs the mrt.exe scan
-   Checks the final log create by the mrt scan for "Threat detected:"
   o   If found, the log is copied out to the server into a "01-VirusFound" folder - also, if the words "the system needs to be restarted." is found in the log, the user is prompted to reboot
   o   Otherwise it is either placed into "02-NoVirusFound" or "03-CouldNotRun" dependent on the success of the scan

This script runs in the background without the user ever knowing and these logs help to identify the machines requiring further attention. Using these reports we could determine the machines with or without Sophos and also identify the ones infected, possibly indicating the antivirus agent would need installed on that system.

Code to Run MRT Scan [RunMRT.cmd]:
@ECHO OFF
ECHO Processing Microsoft's Malicious Software Removal Tool...

C:
CD\WINDOWS\DEBUG
type mrt.log >> mrt.org
del /F /Q mrt.log
del /F /Q mrt.txt

C:
CD %USERPROFILE%\Local Settings\TempMKDIR MRTSCAN
CD MRTSCAN
del /F /Q mrt*.*
COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\Sleep.exe
COPY /Y \\[DFS PATH]\SysVol\[DOMAIN]\Policies\{POLICY GUID}\Machine\Scripts\Startup\Microsoft\logon-scan\mrt.exe mrtv34.exe

SET PATH=%PATH%;%USERPROFILE%\Local Settings\Temp\MRTSCAN;

IF EXIST "%USERPROFILE%\Local Settings\Temp\MRTSCAN\mrtv34.exe" ( GOTO CONTINUE01 ) ELSE ( GOTO CONTINUE02 )

:CONTINUE01
call Sleep.exe 5
Start /wait mrtv34.exe /q

:CONTINUE02
REM del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log
del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log
del /F /Q \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log

C:
CD\WINDOWS\DEBUG
ECHO ----* > mrt.txt
ECHO Scan Run By: %USERNAME% completed at %DATE%, %TIME% >> mrt.txt
ECHO ----* >> mrt.txt
type mrt.log >> mrt.txt
type mrt.txt >> mrt.org
del /F /Q mrt.log

IF EXIST "C:\WINDOWS\DEBUG\mrt.txt" ( GOTO CONTINUE03 ) ELSE ( GOTO CONTINUE04 )

:CONTINUE03

findstr /n /c:"Threat detected:" "C:\WINDOWS\DEBUG\mrt.txt"
IF %errorlevel%==0 (
copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\01-VirusFound\%computername%.log

findstr /n /c:".*the system needs to be restarted." "C:\WINDOWS\DEBUG\mrt.txt"
IF %errorlevel%==0 (
> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO ON ERROR RESUME NEXT
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Dim Answer
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Set wshShell = CreateObject( "WScript.Shell" ^)
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO Answer = MsgBox ( "A scan performed at logon has discovered & cleaned" ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "a virus found on this machine [%COMPUTERNAME%]." ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Please reboot at your next opportunity, to reboot" ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "now click 'Yes.' Otherwise, to reboot later, simply click 'No.'" ^& vbCrLf ^& _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "Thank you for your assistance! - NTHS Help Desk.", 4, _
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO "New Trier: Help Desk" ^)
>> "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs" ECHO If Answer = 6 Then wshShell.Run "shutdown -r -f -t 20", 0, false
WSCRIPT.EXE "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs"
DEL /F /Q "%USERPROFILE%\Local Settings\Temp\MRTSCAN\usermessage.vbs"
)

) ELSE (
copy %windir%\debug\mrt.txt \\[SERVERNAME]\MS-MAL-RM-Tool$\02-NoVirusFound\%computername%.log
)

del /F /Q mrt.txt

GOTO END

:CONTINUE04

IF EXIST "C:\WINDOWS\DEBUG\mrt.log" (
ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
type %windir%\debug\mrt.log >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
) ELSE (
IF EXIST "C:\WINDOWS\DEBUG\mrt.org" (
ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
type %windir%\debug\mrt.org >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
) ELSE (
ECHO ----* > \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO Attempted By: %USERNAME% completed at %DATE%, %TIME% >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO mrt.log, .txt or .org file does not exist >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
ECHO ----* >> \\[SERVERNAME]\MS-MAL-RM-Tool$\03-CouldNotRun\%computername%.log
)
)

:END



Profile IMG: Footer Left Profile IMG: Footer Right