determining the origin of a virus withing the company

[blaine011]

How can I tell from which computer in my company a virus is coming from. It seems to be spoofing the address. The virus is the w32.beagle.

 

[Xemus]

According to Sarc, "Creates a listening thread on port 6777 that allows a remote attacker to connect".
Get a port scanner, and scan your domain for active connections on that port.
I recommend NMAP

http://www.insecure.org

There is a Windows version if you don't like command lines, it's called NMAPWin.

http://www.closedsocket.com

 

[blaine011]

Thanks for the reply xemus, what would be the command line for nmap to listen to that port?

 

[ftechguy]

Something else you can do is check your router logs. Since beagle and most viruses now turn infected PCs into spamming machines, you will find one ip sending out an excessive number of packets. So the infected PC should be easy to find this way.

 

[blaine011]

I have a cisco 1600 series router, do you know the command to check the logs, or where I can find the commands?

 

[ftechguy]

Hmm, I meant firewall logs there, sorry about the mental lapse. On the otherhand, a higher-end device such as a cisco might have a good logging feature. I'm only familar with the linksys, netgear,etc. devices and I don't know cisco devices. Anybody else know if the cisco blaine mentioned can log or detect this kind of activity?