Problem solve Get help with specific problems with your technologies, process and projects.

Detecting a Lovelorn-infected PC in the internal network

How do you detect a Lovelorn virus-infected PC in the internal network to stop its mass-mailing payload? Given that our firewall uses NAT to hide internal IP addresses, how do I go around this to determine the culprit?

As will always be the case, the first way to look for a virus is using a virus scanner. You should have up-to-date AV software installed on all your machines already, but it sounds like that it not the case. This may be a way to get more upper-management approval for a process of updating the AV software and ensuring that it is installed on all machines.

A few other things to try, courtesy of my friends in AVIEWS:

  • Perform a review of the firewall logs. Look for someone (other than the corporate e-mail server) sending quantities of port 25 traffic, especially after office hours.
  • Given that this worm also harvests e-mail addresses from Web pages, you could place a honeypot e-mail address on some common internal Web sites -- a non-visible "mailto:" tag is all it takes.
  • I hope this helps you track down the offending machine and stop it.

    For more info on this topic, check out these SearchSecurity.com resources:
  • Best Web Links: Malware
  • Featured Topic: Focus on viruses
  • Best Web Links: Secure Messaging

  • This was last published in July 2003

    Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.