Just as a followup the following KB article fixed that issue, what I am still concerned about even though these systems where patched about 2-3 months ago with MS08-067 they still got somewhat infected...
KB895149 Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Sent: Friday, March 20, 2009 3:51 PM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt Has anyone seen a failure with the DHCP Client giving an access denied after conflicker has been detected cleaned? I did Run the Symantec tools and the Microsoft tools for scanning and infection but no luck. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 -----Original Message----- From: Sam Cayze [mailto:[email protected]] Sent: Friday, March 20, 2009 3:18 PM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt Those sound like honeypots! I'm surprise conflicker is all they got :) -----Original Message----- From: Glen Johnson [mailto:[email protected]] Sent: Friday, March 20, 2009 2:11 PM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt These were open lab machines with NO antivirus, autorun wasn't disabled but the patch was on. Also the user has full control. My guess is the autorun kicked in and it was toast. Fortunately the boxes all had deep freeze so the infection wasn't permanent. Most of that has been changed though, AV is now on the boxes and it has caught a few on flash drives. So far so good. -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, March 20, 2009 2:51 PM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt On Fri, Mar 20, 2009 at 1:35 PM, Glen Johnson <[email protected]> wrote: > I can definitely confirm that a patched machine can get infected from an > infected flash drive. Any details on this? Is it the AUTORUN.INF thing, where simply loading a USB drive causes Windows to go and run whatever the drive says to? Or did the user manually double-click the Trojan horse executable file on the drive? Or something else? Was it able to bypass anti-virus software and/or escalate its privileges? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
