Where do I start with a worm?

By tschmidt ·
I think we have a worm running through our network, we have unexpected connection drops and when anyone tries to do a Google search they get the 403 error. I'm not sure where I should begin in trying to find out if it is a worm or not. We have Symantec Anti-virus Corporate Edition and all definitions are up to date and everything checks out. I was thinking bringing a laptop from outside the network and plugging it in. Any suggestions on software to run to capture what gets sent? Any ideas would be appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Isolate a machine

by Tig2 In reply to Where do I start with a w ...

Download from a safe source a copy of AVG free or Clam AV. Install to a single machine. Boot to safe and scan.

If you still don't find anything, try a third scan using another AV.

If you have something on the box, chances are that you have it on every box. And check your servers too.

I'd be taking a hard look at the firewall logs. If it came in via the net, you should find traces there.

Google for "network sniffer open source". You will find several. Install one on the isolated box and re-attach to the network. That box will now be your sniffer. It should tell you what is happening. It may be wise to put an extra firewall on that isolated pc.

Let us know how you get on.

Good luck!

Collapse -


by tschmidt In reply to Isolate a machine


Thanks for the info. This morning I removed a machine from the network and ran in safe mode
1. AVG
2. Clam AV
Nothing was found on the machine. Unfortunately my boss is on vaction and I don't know the username/password for the router so I can't check the firewall logs. So I'm going to set up a sniffer now. If it was a worm would I have found something in the scans?

Related Discussions

Related Forums