Ask the Expert

Detecting a Lovelorn-infected PC in the internal network

How do you detect a Lovelorn virus-infected PC in the internal network to stop its mass-mailing payload? Given that our firewall uses NAT to hide internal IP addresses, how do I go around this to determine the culprit?

    Requires Free Membership to View

As will always be the case, the first way to look for a virus is using a virus scanner. You should have up-to-date AV software installed on all your machines already, but it sounds like that it not the case. This may be a way to get more upper-management approval for a process of updating the AV software and ensuring that it is installed on all machines.

A few other things to try, courtesy of my friends in AVIEWS:

  • Perform a review of the firewall logs. Look for someone (other than the corporate e-mail server) sending quantities of port 25 traffic, especially after office hours.
  • Given that this worm also harvests e-mail addresses from Web pages, you could place a honeypot e-mail address on some common internal Web sites -- a non-visible "mailto:" tag is all it takes.
  • I hope this helps you track down the offending machine and stop it.


    For more info on this topic, check out these SearchSecurity.com resources:
  • Best Web Links: Malware
  • Featured Topic: Focus on viruses
  • Best Web Links: Secure Messaging

  • This was first published in July 2003

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: