Printable View
hello
I need assistance on removing botnet attack on my network. my brother have block port with firewall .the virus is coming back again which have the following details of the virus;Virus name WORM_DOWNAD.AD,please some one tell me how to remove this permanently, thank you.
Symptoms of WORM_DOWNAD.AD:
* Blocked access to antivirus-related sites
* Disabled services such as Windows Automatic Update Service
* High traffic on affected system’s port 445
* Hidden files even after changes in Folder Options
* Inability to log in using Windows credentials because they are locked out
A .DLL file with random file names and autorun.inf also appear in all mapped drives, and in Internet Explorer and Movie Maker folders under the Program Files directory.
The worm locks its dropped copy to prevent users from reading, writing, and deleting the malicious file.
It also makes several registry changes to allow simultaneous network connections. By re-infecting machines, this worm manages to keep its malicious activities going on. One of the prominent reasons for its success in global diffusion is its multiple propagation routines: it spreads by exploiting a Microsoft OS vulnerability, via network shares, or via removable and network drives.
Patching systems and programs as soon as fixes are made available and disabling autorun are two of the most important actions required to reduce the risk of infection, infection propagation or reinfection with variant updates.
- Disable System Restore
- Update the virus definitions.
- Find and stop the service.
- Find and remove the scheduled task, if necessary.
- Run a full system scan.
- Delete any values added to the registry.
Use BotHunter for botnet detection. BotHunter was created. From the labs of SRI International, the Army Research Office and the National Science Foundation, BotHunter works to discover stealth botnet activity on the network. BotHunter attempts to uncover compromised machines by gathering information from numerous sensors around the world looking for the telltale signatures of bot activity.
BotHunter uses specialized malware packet sensors, which look for scanning, exploit patterns, code downloading, bot coordination communications and outbound attack launches. By comparing these known botnet traffic patterns to the traffic flows within the trusted network, it can alert users when it detects suspicious botnet activity.
BotHunter differs from traditional IDS in its methods of detecting activity through "infection-dialog-based" activity: the command and control communication patterns used by botnets. Although nothing triggers the antivirus, BotHunter notices when a computer is attempting to contact several email servers and UDP traffic is going to several computers, such as those known to belong to a Russian criminal network that is being monitored by BotHunter. BotHunter uses this information to assign a score to events; the display console logs the forensic evidence, listing the infected machines, botnet control servers, malicious code-download servers and details about outbound scanning that newly infected machines may be performing.
BotHunter is free, but closed source. It is available for Windows, Linux and Mac platforms. During installation, BotHunter requires an input of the IP address range of the trusted network, SMPT servers and DNS servers. Once installed, BotHunter examines traffic that traverses the NIC card you specify. Mostly it listens passively, but from time to time BotHunter initiates outbound communications to automated threat services run by SRI. BotHunter also pulls updates for the botnet command and control blacklist, malware DNS list and new malware-detection rules. This allows BotHunter to maintain awareness of the latest botnet operator servers, malware-associated DNS lookups, known-bad server addresses and malware back-door control ports. BotHunter sends anonymous data associated with detected botnet activity, malware-download sites, exploit servers and detection patterns, but it does not report any IP addresses from your trusted network. SRI states that neither they nor their affiliates track your specific network information.
hi!!
i have a network for 100 plus nodes which is running on windows 2000 professional. i have latest a antivirus trend micro 8.0 and upgraded with latest antivirus patch files. my network is affected by the worm_downad.ad .pls tell me the sol to clean i have already tken follwoing steps:-
a) latest antivirus pattern file.
b) system scan manually.
pls tell me the manula procedure to clean the above mentioned virus.
User AG like AVAST..It Network Shield automatically detect incoming threads