W32.Downadup.B Arghhhhhhhh


It's been 6 years since we were last hit by a major virus, but we have just been hit again (along with a few million others) by W32.Downadup.B

What did it do?: It removed ability of users to log-in to the domain. The following entry appeared in droves on domain controller; "The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above." with an event ID of 12294. At the peak we were probably experiencing around 100 per second.

The end result of the above was that due to the sheer number of requests, active directory was unable to authenticate genuine users....who were getting their account locked instead of getting logged in. Ironically this wasnt the main intension of the virus, just a side effect. In actual fact the virus looks to upload any passwords it finds to a remote server. In order to avoid detection the writers made it upload to a few thousand random domain names to avoid detection by the authorities.

Some more info;
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B

How did we get rid of it?: Firstly we had to disable every single account on the domain with local or domain/enterprise security rights. You can imagine the hassle this is going to cause in terms of service run-as issues. We also had to unplug any administrative workstations from the network and run all fixes direct from the servers.

Micrsoft have provided a tool for prevention, also provided in the form of a windows update (should you happen to do those on a weekly basis);

http://support.microsoft.com/kb/891716

They do however suggest that deployment via Group Policy is not suitable for servers, and kindly provide a handy 36!! step manual process. You can however reduce this to around 5 steps by using Symantec Antivirus, a bit of quick registry editing, and the removal tools.....probably 15 minutes per server. I'd also suggest regular password changing of any admin account you are using, just to ensure that it isnt grabbed and used by an infection.

The only method we have found thus far to remove the threat from an infected PC is to perform a full system scan using Symantec AV. Not great for the users given the load it puts on the workstations, but at least its a fix!

I'm sure this wont be the last such threat, and its been our first since moving to Active Directory.... but I'll be looking into how we can deploy windows updates using SCCM2007 on a regular basis!