关于W32.Downadup (Conficker)补充:Use Nmap  to Scan for infected computers http://insecure.org/
        如果安装了SEP,SEP的IPS会侦测到针对MS08-067的***,SID 23179在没有IPS的情况下(例如只安装了SAV,并且没有基于网络的IDS),可以用NMAP(4.85BETA7and newer)扫描出整个网络中感染此worm的计算机:
nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 [targetnetworks] (eg:192.168.114.0/24)
 
扫描后查看日志,有
 Conficker: Likely INFECTED (by Conficker.C or lower)
内容的为可疑***ip!

        W32.Downadup是目前所接到的非常多客户报告的一个蠕虫病毒类。此病毒主要是利用微软RPC漏洞(MS08-067)、网络共享和USB传播。 

1)     Symantec对于W32.Downadup的说明:

Symantec针对于W32.Downadup的说明及处理办法

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

Symantec针对于W32.Downadup.B的说明及处理办法

http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

Symantec针对于W32.Downadup.C的说明及处理办法

http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99

Symantec针对于W32.Downadup.E的说明及处理办法

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-040823-4919-99

 该病毒的技术细节
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
http://en.wikipedia.org/wiki/Conficker

 2)     更新补丁MS08-067的详细信息

http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx

            http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
            http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
            http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker
            http://support.microsoft.com/kb/962007
            http://www.securityfocus.com/bid/31874

3)     Follow the MS Kb below to create a GPO and remove write permissions to the svchost, so that we can prevent the random named malware service from being created in the netsvcs registry value

http://support.microsoft.com/kb/962007/en-us

 4)     Disable autorun

http://msdn.microsoft.com/en-us/library/cc144204(VS.85).aspx

 如何查找网络中的非安全共享:
http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx

 5)     Symantec专杀工具

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

 6)     Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648

 7)     微软对于此病毒的说明:

Worm:Win32/Conficker.A_from_Microsoft

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A

Worm:Win32/Conficker.B

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B

Worm:Win32/Conficker.C from Microsoft

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.C

Worm:Win32/Conficker.D_from_Microsoft

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D

 8)     由于W32.Downadup病毒其中的部分会尝试破解用户的密码,如果AD用户设定了密码锁定的策略,则可能会发现AD用户锁定的情况。

对于此问题,建议客户暂时关闭AD用户锁定的策略。对于AD用户锁定的技术细节,可以参考MS的KB:

Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0

http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585

User accounts are unexpectedly locked, and event ID 12294 is logged in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;887433

 9)     如果断开网络之后,客户端不再报感染W32.Downadup的告警,则建议用户使用上述网络工具WireShark/TCPView等查找源。