I spent 3 days over a weekend, and a friday clearing my domain ( 300+ clients ) of the B variant.

If like me, you had up to date virus definitions, up to date WSUS, and a quite decent security template with Group Policy, despite this i was still infected.

How? the auto.inf file within USB sticks which shitty Symantec AV corp does not scan.

Advertisement

So, i was royally fucked.

In short, to clear your network ( or rather how i did mine)

In safe mode, run the removal tools
windows-kb890830-v2.7.exe (there is a 2.8,or 2.9 now?)
FixDownadup.exe - Symantec tool.

Advertisement

then install - WindowsXP-SP2-KB958644-x86-ENU.exe
Finally, install WindowsXP-KB967715-x86-ENU.exe

Check then for scheduled tasks ( they are called ao1,a02,a03,a04 delete these!)

Disabled Scheduled tasks on critical machines, as it uses this to propagate the tasks across network shares.
use complex local account passwords ( change them if you can )

Advertisement

This is what i did, and this cleared it,eventually, there is lots of other ways lurking on the internet, which i read, and thought would work( the GP modelling) and some that didn't. The above details worked for me, took a lot of time, and i learnt that no matter now secure your network is, you can't stop someone being stupid/niave.

I accept some blame, as i saw the AV alert for it, and it was deleted ( reported by Symanted as deleted ) so why investigated, only afterwards when i checked security logs on numerous domain controllers did i see the machine infected - trying hundreds of domain accounts and failing ( keylogger )