W32.Qakbot is a network aware worm that uses several OS and software vulnerabilities and unprotected Windows File Shares to spread.
Identification and Information:
Read the Qakbot Family Write-up
This document is being updated as new variants are discovered and is the most comprehensive document available on Qakbot. It’s important that you are familiar with this complex threat before you attempt to remove it
For additional information, read the W32.Qakbot in Detail white paper from Symantec Security Response
Containment:
Disable Autorun on all systems on the network using a Group Policy Object (GPO) in Windows or an Application and Device Control (ADC) Policy in the Symantec Endpoint Protection Manager (SEPM).
For GPO read: How to disable the Autorun functionality in Windows
Note: It is strongly recommended to disable the Autorun feature using Group Policy from the Domain Controller.
Disable Windows Task Scheduler on all systems on the network
For more information read: How to prevent a user from running Task Scheduler in Windows
Note: It is strongly recommended to disable the Windows Task Scheduler using Group Policy from the Domain Controller.
Patch all systems with the latest Microsoft and Apple Security Patches.
The following vulnerabilities have been used to spread this threat:
Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514): Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness
Microsoft MDAC RDS.Datasp ace ActiveX Control Remote Code Execution Vulnerability (BID 17462): Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability
Apple QuickTime for Windows Remote Code Execution Vulnerability (BID 25913): Apple QuickTime for Windows Remote Code Execution Vulnerability
Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability (BID 21829): Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability
Block all known W32.Qakbot communications to external servers. This is designed to prevent the threat from downloading a new variant. For a up-to-date list of servers that require blocking see the Qakbot Family Write-up
If after taking all of the above steps, re-infections continue to occur, it may be necessary to disable all open shares (ie C$) and re-evaluate the security posture of the network with regards to file sharing and the use of Windows administrative user accounts.
Endpoint Remediation:
Repair client permissions using the W32.Qakbot Permissions reset tool available on the Qakbot Family Write-up
Note: This is designed to fix the permissions changes to the symantec directories that some W32.Qakbot variants make. It does not remove the virus. Be sure to read the instructions carefully
For information on manually resetting ACL permissions modified by Qakbot, see:
How to use CACLS (Change Access Control Lists) to reset ACL permissions for the Symantec directories impacted by W32.Qakbot.
Update virus definitions and Scan to remove the threat files
Note: If the machine is connected to an infected network there is a chance for re-infection if the threat is allowed to spread. (see Containment section above)
Use the ADC policy that has been created against W32.Qakbot. For more information, please see the "ADC and Threat Outbreaks" section of Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies