Best practices for remediating W32.Qakbot infected networks
Last Updated November 05, 2014
W32.Qakbot is a network aware worm that uses several OS and software vulnerabilities and unprotected Windows File Shares to spread.
Identification and Information:
Read the Qakbot Family Write-up This document is being updated as new variants are discovered and is the most comprehensive document available on Qakbot. It’s important that you are familiar with this complex threat before you attempt to remove it
For additional information, read the W32.Qakbot in Detail white paper from Symantec Security Response
Disable Autorun on all systems on the network using a Group Policy Object (GPO) in Windows or an Application and Device Control (ADC) Policy in the Symantec Endpoint Protection Manager (SEPM).
Block all known W32.Qakbot communications to external servers. This is designed to prevent the threat from downloading a new variant. For a up-to-date list of servers that require blocking see the Qakbot Family Write-up
If after taking all of the above steps, re-infections continue to occur, it may be necessary to disable all open shares (ie C$) and re-evaluate the security posture of the network with regards to file sharing and the use of Windows administrative user accounts.
Repair client permissions using the W32.Qakbot Permissions reset tool available on the Qakbot Family Write-up Note: This is designed to fix the permissions changes to the symantec directories that some W32.Qakbot variants make. It does not remove the virus. Be sure to read the instructions carefully
Update virus definitions and Scan to remove the threat files Note: If the machine is connected to an infected network there is a chance for re-infection if the threat is allowed to spread. (see Containment section above)