OREANDA-NEWS. October 13, 2009. Russian schools have been provided with anti-virus software under the “Education” national priority project since 2008. Alas, the infection level in school networks remains rather high. Doctor Web engineers deploying the Dr.Web anti-virus service software in schools face the problem on daily basis. However, once Dr.Web anti-virus is installed and launched, the situation changes dramatically.

The free deployment program for schools in the Novosibirsk region has started on June 26, 2009. with Dr.Web AV-Desk providing anti-virus software featuring Parental control on school machines in the region.

With the parental control Dr.Web not only protects systems from malware but also blocks access to unwanted web-sites and helps avoiding contact with cyber-criminals making usage of Internet in classes more productive and completely safe.

Dr.Web anti-virus in action

A secondary school in a Russian town of Berdsk also joined the deployment program and it was the school’s network where the virus incident occurred.

It began when Doctor Web’s engineers working with the Dr.Web AV-Desk console detected a surge of viral activity in the school network. In three days the SpIDer Guard resident monitor neutralized around four hundred samples of malware. A subsequent analysis revealed that all programs were spread over the network from one workstation.

Doctor Web’s support engineers arrived at the site. The computer found to be the source of infection was completely unprotected. The system was compromised by Win32.HLLW.Shadow.based (aka Conficker). Outbound malicious traffic spread infection on all computers included in the domain to turn them into botnet zombies. Sites of many anti-virus vendors including www.drweb.com and www.freedrweb.com couldn’t be accessed from the compromised machine to ensure that curing software wouldn’t be downloaded onto the computer.

The malicious program had an administrator’s privileges so SpIDer Guard could only take out infected files as a process attempted to execute them. Consequently, an administrator password of the unprotected machine was also compromised. Attempting to change the password only reset it. Doctor Web support engineers had to change the password encryption algorithm in the domain and set stricter security rules.

When the infection in the compromised system was neutralized, there were still other computers in the domain to be cured. The new product from Doctor Web, its networking anti-virus utility Dr.Web CureNet! providing centralized scanning and curing, helped engineers to tackle the aftermath of the incident. Two hundred and seven infected objects were found during scanning of all workstations and servers. The threat was neutralized successfully.

Here the Dr.Web anti-virus service helped to detect the source of infection even though no Dr.Web software was installed on the compromised machine. The problem may have remained unsolved for a long time if the infection source wasn’t discovered promptly. Centralized monitoring of viral activities enabled support engineers to quickly track down the malware and neutralize it. In its turn Dr.Web CureNet! plaid its part in the final network clean-up performed on workstations and server without installation of the software on target machines.