Detecting a Lovelorn-infected PC in the internal network

How do you detect a Lovelorn virus-infected PC in the internal network to stop its mass-mailing payload? Given...

that our firewall uses NAT to hide internal IP addresses, how do I go around this to determine the culprit?

As will always be the case, the first way to look for a virus is using a virus scanner. You should have up-to-date AV software installed on all your machines already, but it sounds like that it not the case. This may be a way to get more upper-management approval for a process of updating the AV software and ensuring that it is installed on all machines.

A few other things to try, courtesy of my friends in AVIEWS:

  • Perform a review of the firewall logs. Look for someone (other than the corporate e-mail server) sending quantities of port 25 traffic, especially after office hours.
  • Given that this worm also harvests e-mail addresses from Web pages, you could place a honeypot e-mail address on some common internal Web sites -- a non-visible "mailto:" tag is all it takes.
  • I hope this helps you track down the offending machine and stop it.

    For more info on this topic, check out these SearchSecurity.com resources:
  • Best Web Links: Malware
  • Featured Topic: Focus on viruses
  • Best Web Links: Secure Messaging

  • This was last published in July 2003

    Dig Deeper on Malware, Viruses, Trojans and Spyware



    Find more PRO+ content and other member only offers, here.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: