RE: April 1st Conflicker Version C to erupt

Just pull the power plug from the wall? Thanks, Jake Gardner TTC Network Administrator Ext. 246 -Original Message- From: Jon D [mailto:rekcahp...@gmail.com] Sent: Friday, March 27, 2009 2:30 PM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt What

Re: April 1st Conflicker Version C to erupt

What happens if you simply disable the browser, and server service, and disable autorun? Will that pretty much do the trick? . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ ~

RE: April 1st Conflicker Version C to erupt

Thanks Ben, I really appreciate your input on this topic. Paul -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, March 23, 2009 8:26 PM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt On Mon, Mar 23, 2009 at 5:48 PM, Paul

Re: April 1st Conflicker Version C to erupt

On Mon, Mar 23, 2009 at 5:48 PM, Paul Everett wrote: > Ok, I've been messing with the svchost.exe file all day and now realize > a key is a key, not an exe file. > Where would I find this svchost key? I believe this refers to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi

Re: April 1st Conflicker Version C to erupt

On Mon, Mar 23, 2009 at 11:31 AM, James Rankin wrote: > I think the force switch for reg.exe is /f You think correctly. :) From "REG ADD /?", I see: /f Force overwriting the existing registry entry without prompt So, to modify my previous example: REG ADD "HKLM\SOFTWARE\Mic

RE: April 1st Conflicker Version C to erupt

ssues Subject: RE: April 1st Conflicker Version C to erupt Regular users on fully patched XP and you are screwed. Been there done that got the crappy T-Shirt. Not giving you a hard time but that is what I am seeing. And have seen it and verified it at multiple other places. I got lucky and saw it earl

Re: April 1st Conflicker Version C to erupt

re (or don't > overwrite) if the entry is already there so my login script doesn't stop and > wait for user input? > > > -Original Message- > From: Ben Scott [mailto:mailvor...@gmail.com] > Sent: Monday, March 23, 2009 10:45 AM > To: NT System Admin Issues > Sub

Re: April 1st Conflicker Version C to erupt

already there so my login script doesn't stop and > wait for user input? > > > -Original Message- > From: Ben Scott [mailto:mailvor...@gmail.com] > Sent: Monday, March 23, 2009 10:45 AM > To: NT System Admin Issues > Subject: Re: April 1st Conflicker Version C t

RE: April 1st Conflicker Version C to erupt

al Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, March 23, 2009 10:45 AM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt On Mon, Mar 23, 2009 at 9:04 AM, Paul Everett wrote: > 1.      Is there a way (script or GP) to take "domain

Re: April 1st Conflicker Version C to erupt

On Mon, Mar 23, 2009 at 9:04 AM, Paul Everett wrote: > 1.      Is there a way (script or GP) to take "domain users" out of the > local admin group? In addition to other suggestions, you could always do: NET LOCALGROUP Administrators "%YourDomain%\Domain Users" /DELETE Put that in your

Re: April 1st Conflicker Version C to erupt

Paul > > > -Original Message- > From: Ben Scott [mailto:mailvor...@gmail.com] > Sent: Friday, March 20, 2009 5:11 PM > To: NT System Admin Issues > Subject: Re: April 1st Conflicker Version C to erupt > > On Fri, Mar 20, 2009 at 4:54 PM, Ziots, Edward > wrot

RE: April 1st Conflicker Version C to erupt

Answers in line, the short versions. Holler if you want more detail. > -Original Message- > From: Paul Everett [mailto:evere...@leementalhealth.org] > Okay, I'm concerned about this, but need more direction than what has > been posted so far. > 1.Is there a way (script or GP) to ta

RE: April 1st Conflicker Version C to erupt

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 -Original Message- From: Paul Everett [mailto:evere...@leementalhealth.org] Sent: Monday, March 23, 2009 9:04 AM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt Okay, I&#

RE: April 1st Conflicker Version C to erupt

cal admin password via script or GP? Thanks, Paul -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Friday, March 20, 2009 5:11 PM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt On Fri, Mar 20, 2009 at 4:54 PM, Ziots, Edward wrote: > J

Re: April 1st Conflicker Version C to erupt

On Fri, Mar 20, 2009 at 4:54 PM, Ziots, Edward wrote: > Just as a followup the following KB article fixed that issue, what I am > still concerned about even though these systems where patched about 2-3 > months ago with MS08-067 they still got somewhat infected... As mentioned, Conficker has mu

RE: April 1st Conflicker Version C to erupt

, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Friday, March 20, 2009 3:51 PM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt Has anyone seen a failure with the DHCP

RE: April 1st Conflicker Version C to erupt

, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 -Original Message- From: Sam Cayze [mailto:sam.ca...@rollouts.com] Sent: Friday, March 20, 2009 3:18 PM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt Those sound like honeypots! I'm sur

RE: April 1st Conflicker Version C to erupt

Those sound like honeypots! I'm surprise conflicker is all they got :) -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, March 20, 2009 2:11 PM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt These were open lab mac

RE: April 1st Conflicker Version C to erupt

I am still wide open to getting it again. > -Original Message- > From: Ben Scott [mailto:mailvor...@gmail.com] > Sent: Friday, March 20, 2009 2:51 PM > To: NT System Admin Issues > Subject: Re: April 1st Conflicker Version C to erupt > > On Fri, Mar 20, 2009 at 1:35 P

RE: April 1st Conflicker Version C to erupt

though, AV is now on the boxes and it has caught a few on flash drives. So far so good. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Friday, March 20, 2009 2:51 PM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt On Fri, Mar 20, 2009

Re: April 1st Conflicker Version C to erupt

On Fri, Mar 20, 2009 at 1:35 PM, Glen Johnson wrote: > I can definitely confirm that a patched machine can get infected from an > infected flash drive. Any details on this? Is it the AUTORUN.INF thing, where simply loading a USB drive causes Windows to go and run whatever the drive says to? O

Re: April 1st Conflicker Version C to erupt

On Fri, Mar 20, 2009 at 1:04 PM, Kennedy, Jim wrote: > Regular users on fully patched XP and you are screwed. H. Worrying. I just went and double-checked the various threat evaluations for Conficker. Everyone seems to be reporting about the same thing. In particular, everyone is reporti

RE: April 1st Conflicker Version C to erupt

optimumdata.com] > Sent: Friday, March 20, 2009 2:34 PM > To: NT System Admin Issues > Subject: Re: April 1st Conflicker Version C to erupt > > Something is seriously wrong with your environment if your end users > have write access to the svchost key. > > Kennedy, Ji

Re: April 1st Conflicker Version C to erupt

Something is seriously wrong with your environment if your end users have write access to the svchost key. Kennedy, Jim wrote: > At this point the only thing keeping us alive is the svchost key with > only read rights for everyone, including system. -- Phil Brutsche p...@optimumdata.com ~ Fina

Re: April 1st Conflicker Version C to erupt

I wouldn't be too quick to blame solely MS and the AV vendors, there's a lot of blame to go around. Conficker has multiple infection vectors. So far I've heard of: a) Exploiting MS08-067 b) Brute-forcing the SAM and ADMIN$ share on remote machines c) and now apparently Autorun Apparently not eno

RE: April 1st Conflicker Version C to erupt

bject: R: April 1st Conflicker Version C to erupt > > > That is the reason of MS KB 967715 so urgently deployed ? > > > GuidoElia > HELPPC > > -Messaggio originale- > Da: Glen Johnson [mailto:gjohn...@vhcc.edu] > Inviato: venerdì 20 marzo 2009 18.35 >

RE: April 1st Conflicker Version C to erupt

I guess so :) -Original Message- From: HELP_PC [mailto:g...@enter.it] Sent: Friday, March 20, 2009 12:58 PM To: NT System Admin Issues Subject: R: April 1st Conflicker Version C to erupt That is the reason of MS KB 967715 so urgently deployed ? GuidoElia HELPPC -Messaggio

R: April 1st Conflicker Version C to erupt

That is the reason of MS KB 967715 so urgently deployed ? GuidoElia HELPPC -Messaggio originale- Da: Glen Johnson [mailto:gjohn...@vhcc.edu] Inviato: venerdì 20 marzo 2009 18.35 A: NT System Admin Issues Oggetto: RE: April 1st Conflicker Version C to erupt I can definitely confirm

RE: April 1st Conflicker Version C to erupt

: NT System Admin Issues > Subject: RE: April 1st Conflicker Version C to erupt > > I can definitely confirm that a patched machine can get infected from > an > infected flash drive. > > > -Original Message- > From: Kennedy, Jim [mailto:kennedy...@elyriaschools

RE: April 1st Conflicker Version C to erupt

I can definitely confirm that a patched machine can get infected from an infected flash drive. -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Friday, March 20, 2009 1:25 PM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt

RE: April 1st Conflicker Version C to erupt

stem Admin Issues > Subject: RE: April 1st Conflicker Version C to erupt > > Weird part is I was patched for MS08-67 on these servers reported > infected and still the AV is showing infection results. Shouldn't be > vulnerable if you have already applied MS08-067, weirdness. >

RE: April 1st Conflicker Version C to erupt

: Michael B. Smith [mailto:mich...@theessentialexchange.com] Sent: Friday, March 20, 2009 11:59 AM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt I do not know the answer to this, but based on what I've read about the infection vector, as long as you don

RE: April 1st Conflicker Version C to erupt

twork + ezi...@lifespan.org Phone:401-639-3505 -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Friday, March 20, 2009 11:52 AM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt MS and the Anti-Virus vendors have really have l

Re: April 1st Conflicker Version C to erupt

everyone, including system. > > >> -Original Message- >> From: Michael B. Smith [mailto:mich...@theessentialexchange.com] >> Sent: Friday, March 20, 2009 12:59 PM >> To: NT System Admin Issues >> Subject: RE: April 1st Conflicker Version C to erupt >> &

RE: April 1st Conflicker Version C to erupt

009 12:59 PM > To: NT System Admin Issues > Subject: RE: April 1st Conflicker Version C to erupt > > I do not know the answer to this, but based on what I've read about the > infection vector, as long as you don't run as admin I suspect you'll be > ok. > At

Re: April 1st Conflicker Version C to erupt

>> Sent: Friday, March 20, 2009 11:37 AM >> To: NT System Admin Issues >> Cc: ntsysadmin@lyris.sunbelt-software.com >> Subject: April 1st Conflicker Version C to erupt >> Importance: High >> >> Folks, >> >> Seeing quite a bit of activity wi

RE: April 1st Conflicker Version C to erupt

20, 2009 11:52 AM To: NT System Admin Issues Subject: RE: April 1st Conflicker Version C to erupt MS and the Anti-Virus vendors have really have let us down on this one. > -Original Message- > From: Ziots, Edward [mailto:ezi...@lifespan.org] > Sent: Friday, March 20, 2009 11:37

RE: April 1st Conflicker Version C to erupt

ril 1st Conflicker Version C to erupt > Importance: High > > Folks, > > Seeing quite a bit of activity with Conflicker, and on April 1st > according to the following site. Its going to erupt with a lot of > malicious activity ( port 80 outbound, P2p, mass infection, so > d

April 1st Conflicker Version C to erupt

Folks, Seeing quite a bit of activity with Conflicker, and on April 1st according to the following site. Its going to erupt with a lot of malicious activity ( port 80 outbound, P2p, mass infection, so definitely get your systems patched, and AV, Signatures, HIPS updated) Just dealt with a bout of