Symantec W32 Downadup removal tool--What is this????
I was logged off campus when this license agreement for Symantec W32 Downadup Removal Tool 1.0.5 EULA popped up on my screen. I don't know why it did pop up, I just logged in and it came up. It just asks me to agree or disagree with the license agreement, but I don't know what this is. Can it do anything to my computer if I accept it or should I disagree?
An email was sent out about it earlier. The text is as follows:
"The “downadup” or “Conflicker” worm-a major Windows worm that
has infected millions of computers on the Internet-has begun to have an
impact on the Drew network as students return to campus. CNS staff have
been working throughout the weekend to analyze and respond to the
threat. Here is where we currently stand, and what we intend to do to
Downadup spreads via multiple mechanisms--from email, hijacked Web
pages, network drives, network accounts with easily-guessed passwords,
and USB thumb and hard drives, as well as a Windows vulnerability that
allows an attacker to exploit a computer remotely. Once on a computer,
it uses multiple techniques to hide itself, and attempts to find other
hosts to infect, as well as copy itself to any drives it has access to.
It is extremely aggressive in replicating itself and is difficult to
remove. Our approach is to both stop its spread on the campus network,
and to remove the worm from machines already infected.
At this point, all CNS servers are patched against the worm, and are
not infected, although some are seeing the increased traffic from
password guessing. We are monitoring those servers closely and changing
settings to mitigate the impact. We are also leveraging our
infrastructure to protect Drew-owned and Drew-configured desktops and
laptops. A system policy has been deployed that will ensure the
critical Windows system patch is configured when your computer is
restarted, as well as disabling “autorun” functionality that allows
the worm to spread via USB drives and other removable media. We have
added filters to our network switches that prevent a computer from
attacking all Drew networks, and that has slowed the spread of the worm
from computer to computer. We have deployed a tool that runs
automatically on login that detects and removes the worm on infected
computers. We also are taking steps to disable compromised accounts and
computers that we cannot reach automatically.
If you have a computer running Windows XP or Vista that was not
configured by CNS, you should manually run the removal tool available at
http://depts.drew.edu/cns/FixDownadup.exe and then manually run Windows
Update. Also make sure you are running Windows XP Service Pack 2 or
While there are no reports of malicious behavior from this worm other
than effects of its propagation, it allows the computer to be taken over
remotely and used for nearly any purpose the attacker wishes, so it is
critical we disinfect all computers as soon as possible.
CNS will continue to monitor the situation, and refine our
methodologies for dealing with the worm. We will send out a status
update in the next 24 hours, and further instructions if warranted.
Director of Computing and Network Services, Drew University
and the first email:
In response to a widespread internet worm (more details will be available in a second email) we are pushing out a removal tool and a Windows patch to all University-owned and issued computers. Due to the nature of the security threat, we are moving quickly and putting this in place before the start of business on Monday. Instructions for off-campus or non-Drew computers are towards the bottom of this email. Please read this carefully. Failure to follow these directions can not only pose a risk to your computer and data, but those of other network users as well. If you have any questions, please call the CNS Helpdesk at x3205 or send email to firstname.lastname@example.org
On campus, you will be prompted after login to run a Symantec tool designed to remove this specific malicious software. You must click "I Accept" for the software to run. After several minutes, you will be presented with the results of the scan. The Windows patch mentioned in that feedback will be applied when your computer shuts down. One minute after the scan completes, the shutdown will automatically occur. After the reboot, your newly-patched computer will be scanned a second time. Again, please click "I Accept" when prompted. If it reports no virus was found, please continue your work. If it reports that it found and removed the virus after this second pass, please shut down and re-start your computer one more time via the Start Menu.
Drew-issued, on-campus computers with Windows XP Service Pack 1 (some older desktops - primarily Compaq and HP models and old laptop models may have Service Pack 1) cannot be patched without a major update. They need to be updated to Windows XP Service Pack 3 before they can be patched against the vulnerability. The computer can be cleaned, but will be reinfected quickly. Call the Helpdesk at x3205 if you have Service Pack 1. You can check by right-clicking on "My Computer" on your Windows XP system and selecting "Properties". The service pack level is listed under the "System" heading.
If you are NOT on campus, or have a non-Drew-issued computer running Windows XP or Vista, you will need to use the Windows Update feature to update your computer. If your computer is already infected, the worm prevents Windows Update from running correctly, and also blocks you from accessing Symantec's web site, among others, so you can't download the disinfection tool from their web site. You can get a copy of it at:
Once you do that and reboot, you should be able to get to Windows Update. If you are a Windows XP users using Windows Update should install Service Pack 3 and then return to Windows Update after that to check for remaining packages. This could take a considerable amount of time, depending on the speed of your internet connection. We strongly recommend you re-run FixDownadup.exe again after you have installed all critical Windows patches.
Manager of Systems Administration
Computing and Network Services
36 Madison Ave, Madison, NJ 07940"
The dates of issue were january 25th and 26th 2009.
As for how it got there without you knowing about it, that's another matter entirely.
Hope that's of use.
Also, make sure you don't do what I did an accidentally delete the log files it makes when it's finally finished!
The program will make 2 log files in your C:\WINDOWS folder called FIXDOWNADUP1.LOG and FIXDOWNADUP2.LOG. If these get deleted for any reason, the next time you log into the network the whole thing will start over again. It took me two trips to CNS to figure this out.
One more thing: I went through a lot of grief running this program 3 times because it kept encountering an error. But the program won't tell you it's had an error--it will just restart again from the beginning the next time you log in. Kind of a pain, but hopefully you won't have the frustration I did.
Also, update F-Prot!
The sooner a large number of folks install the new F-Prot (it's a total re-write of the software) - this is the version that was issued on the first-year student computers - the sooner we can stop relying on that other tool running. The new version of F-Prot can detect and block downadup/conficker.
Instructions were sent out in email recently and can be found here as well.
You need to upgrade to the new version of Zenworks first. We're using Zenworks to push out the anti-virus software updates, so it'll work from off campus, abroad, etc., as long as you have an internet connection to Drew. After this semester, we're not going to be supporting the old version of Zenworks at all for application distribution, so it's probably worth upgrading now. We're going to have to push this update out soon, rather than making it opt-in, and it would be better for everyone if more computers were updated ahead of that.
Finally, the reason that the on-campus/off-campus login behavior doesn't make a difference on the Symantec tool running is that only has an effect on the behavior of the Novell client. If you're located on campus, you're still communicating with the Windows domain controllers on the network, and we're pushing that login script out via a domain group policy.
Does this mean that if you have the latest F-Prot and the latest security patches then you can safely re-enable Autoplay (providing you have the know-how)?
Autoplay . . .
I wouldn't. I've kept it off on any computer I've used for years. Especially with USB flash media, where it's fairly easy to pick up infected files from another computer, it's really iffy.
F-Prot may detect this worm, but it might not detect the next thing that comes along before you encounter it, nor can any anti-virus package detect every malicious program that comes along. I just don't think the convenience outweighs the risk. Now that this thing was pretty successful using a combination of methods to spread, I expect this to become a standard technique used by people writing malicious software.
And I'm certainly not going to claim that we don't have infected computers on campus. We've been trying to clean them as we discover them, but we certainly haven't hit them all.
|Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)|
|Thread Tools||Search this Thread|