![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
robinblokeI think I got smacked by an email virus on Sunday; it was talking about 123Greetings in standard Ecard type format and now I'm getting repeated 'difftime' error popups. Virus scans show nothing; Anyone seen anything like this before?
robinbloke
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2004-02-16 01:12 pm (UTC)Assuming Windows, check out Sysinternals AutoRuns which lists things added to various Run registry keys, Startup folders etc.
Also find a tool which lists Browser Helper Objects (for IE) which may have been installed (or check the registry yourself, but there is a tool somewhere which makes it easier. I think AdAware does these checks too.)
Check Task Manager to make sure you know what every process listed is doing. SysInternals Process Explorer can help here too - check the process and DLL paths and VERSIONINFO resources to make sure everything is 'official Microsoft' or something you know about. Some worms put themselves in subfolders of System32 and try to look like 'official MS' services, but there's usually some giveaway. Switch to handle mode and make sure nothing's accessing 'dubious' files you didn't know you had.
Check SysInternals TCPView and make sure every listening network socket and active connection is something you know about.
Get Ethereal and list all network packets. If you see a large number of pings or connection attempts to random/sequential IP addresses, or regular/persistent connections to particular hosts not started by any process you're running that could be a worm infection.
Make sure you have the usual MS ports firewalled off - 137-139 for SMB/NB, 445 and (I think, could be wrong) 500 for RPC and SQL server. There's no reason to be letting these in or out past the local network.
Re:
Date: 2004-02-16 01:54 pm (UTC)Gratias!