Detecting a Lovelorn-infected PC in the internal network
How do you detect a Lovelorn virus-infected PC in the internal network to stop its mass-mailing payload? Given that our firewall uses NAT to hide internal IP addresses, how do I go around this to determine the culprit?
As will always be the case, the first way to look for a virus is using a virus scanner. You should have up-to-date AV software installed on all your machines already, but it sounds like that it not the case. This may be a way to get more upper-management approval for a process of updating the AV software and ensuring that it is installed on all machines.
A few other things to try, courtesy of my friends in AVIEWS:
Perform a review of the firewall logs. Look for someone (other than the corporate e-mail server) sending quantities of port 25 traffic, especially after office hours.
Given that this worm also harvests e-mail addresses from Web pages, you could place a honeypot e-mail address on some common internal Web sites -- a non-visible "mailto:" tag is all it takes.
I hope this helps you track down the offending machine and stop it.
For more info on this topic, check out these SearchSecurity.com resources:
Best Web Links: Malware
Featured Topic: Focus on viruses
Best Web Links: Secure Messaging
This was first published in July 2003