Question

Locked

Where do I start with a worm?

By tschmidt ·
I think we have a worm running through our network, we have unexpected connection drops and when anyone tries to do a Google search they get the 403 error. I'm not sure where I should begin in trying to find out if it is a worm or not. We have Symantec Anti-virus Corporate Edition and all definitions are up to date and everything checks out. I was thinking bringing a laptop from outside the network and plugging it in. Any suggestions on software to run to capture what gets sent? Any ideas would be appreciated.
Thanks

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Isolate a machine

by Tig2 In reply to Where do I start with a w ...

Download from a safe source a copy of AVG free or Clam AV. Install to a single machine. Boot to safe and scan.

If you still don't find anything, try a third scan using another AV.

If you have something on the box, chances are that you have it on every box. And check your servers too.

I'd be taking a hard look at the firewall logs. If it came in via the net, you should find traces there.

Google for "network sniffer open source". You will find several. Install one on the isolated box and re-attach to the network. That box will now be your sniffer. It should tell you what is happening. It may be wise to put an extra firewall on that isolated pc.

Let us know how you get on.

Good luck!

Collapse -

Update

by tschmidt In reply to Isolate a machine

Tigger,

Thanks for the info. This morning I removed a machine from the network and ran in safe mode
1. AVG
2. Clam AV
3.Sophos
Nothing was found on the machine. Unfortunately my boss is on vaction and I don't know the username/password for the router so I can't check the firewall logs. So I'm going to set up a sniffer now. If it was a worm would I have found something in the scans?

Back to Malware Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums