W32.Downadup是目前所接到的非常多客戶報告的一個蠕蟲病毒類。此病毒主要是利用微軟RPC漏洞(MS08-067)、網絡共享和USB傳播。
1) Symantec對於W32.Downadup的說明:
Symantec針對於W32.Downadup的說明及處理辦法
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
Symantec針對於W32.Downadup.B的說明及處理辦法
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
Symantec針對於W32.Downadup.C的說明及處理辦法
http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99
Symantec針對於W32.Downadup.E的說明及處理辦法
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-040823-4919-99
該病毒的技術細節
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
http://en.wikipedia.org/wiki/Conficker
2) 更新補丁MS08-067的詳細信息
http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker
http://support.microsoft.com/kb/962007
http://www.securityfocus.com/bid/31874
3) Follow the MS Kb below to create a GPO and remove write permissions to the svchost, so that we can prevent the random named malware service from being created in the netsvcs registry value
http://support.microsoft.com/kb/962007/en-us
4) Disable autorun
http://msdn.microsoft.com/en-us/library/cc144204(VS.85).aspx
如何查找網絡中的非安全共享:
http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
5) Symantec專殺工具
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
6) Simple steps to protect yourself from the Conficker Worm
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648
7) 微軟對於此病毒的說明:
Worm:Win32/Conficker.A_from_Microsoft
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A
Worm:Win32/Conficker.B
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B
Worm:Win32/Conficker.C from Microsoft
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.C
Worm:Win32/Conficker.D_from_Microsoft
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D
8) 由於W32.Downadup病毒其中的部分會嘗試破解用戶的密碼,如果AD用戶設定了密碼鎖定的策略,則可能會發現AD用戶鎖定的情況。
對於此問題,建議客戶暫時關閉AD用戶鎖定的策略。對於AD用戶鎖定的技術細節,可以參考MS的KB:
Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585
User accounts are unexpectedly locked, and event ID 12294 is logged in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;887433
9) 如果斷開網絡之後,客戶端不再報感染W32.Downadup的告警,則建議用戶使用上述網絡工具WireShark/TCPView等查找源。