HKFuey
asked on
Virus: locate infected machine
Hi,
We have Trend Micro Installed on our network PC's. Does anyone know how I can Identify the source of the infection (see attached).
The messages are popping up on lots of PC's.
Trend-Micro.bmp
We have Trend Micro Installed on our network PC's. Does anyone know how I can Identify the source of the infection (see attached).
The messages are popping up on lots of PC's.
Trend-Micro.bmp
When you say "source of the infection", are you trying to establish which of the computers was infected first before it proliferated through the network (ie. find out what user opened a bad email or inserted a usb flash drive), OR do you mean as dbrunton has assumed (ie. what the actual name of the virus is)?
you can see the path in that infected column looks like C:\windows\system32\
scan that file online.
www.virustotal.com or virscan.org you will get the name of virus then you can find more information on that virus and also removal instructions.
scan that file online.
www.virustotal.com or virscan.org you will get the name of virus then you can find more information on that virus and also removal instructions.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Downad.AD is the Conficker Worm (as stated by dbrunton), and Mal_DownadJ is the part of it that created the scheduled task so it could execute at a scheduled time and date.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Too slow! Good you found the culprit but still could do with closing this particular door to stop it arriving via a different route.
Good call with WireShark. I was actually just in the process of checking out Network Sniffers after reading up again on the details of the number of URLs and Servers that it connects to/with. I was looking for a Video on the Sophos site by their chief engineer demonstration WireShark at work so I could post back here with the link. Seems you beat me to it ;-)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help!
If you have the same problem, try this: -
http://www.wireshark.org/download.html
If you have the same problem, try this: -
http://www.wireshark.org/download.html
Thank you HKFuey, even though I was too late in suggesting the same utility you actually used yourself to pin down the source. Just for completeness, if anyone else happens upon this question, the Sophos video that I was originally looking for is here:
http://www.youtube.com/user/SophosLabs#p/u/48/nPKYubm7yeA
Or a better version from the Main Menu > "Adobe Reader Vulnerability Demo" here:
http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx
http://www.youtube.com/user/SophosLabs#p/u/48/nPKYubm7yeA
Or a better version from the Main Menu > "Adobe Reader Vulnerability Demo" here:
http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx
See http://esupport.trendmicro.com/solution/en-us/1039145.aspx
Not sure if their advice will apply to your network system or not.