Detecting who changes/saves a file

[KITMark]

I have a loverletter virus going through a network share and I would like to know the computer that is erasing the previous file and saving the new VBS script.

Is there a utility that can do this. The catch is that it is a pathworks server running under OPEN VMS. The clients are Windows PCs.

 

[asdasdasd]

for *nix systems try tripwire and for windows based PCs, go for winfingerprint.

additionally you can run a sniffer on your machines and see which computer is attempting to connect the shares (note that the virus tries to connect to some suspicious shares like NTLDM, NTVDM etc).

you will get the PC which is transferring the virus.

 

[KITMark]

The server is VMS ... not UNIX. The client is PC but there are potentially over 1000 clients that could be the culprit.
Sniffing is a possibility but it usually happens off hours and not very frequently .. ie likely a dial-in from a home PC.

What I have done is enabled auditing on the server and waiting for the next strike. Hopefully it will give me everything I need.

Thanks for your suggestions.