Can you help me with the tcpdump command?  I heard that you could output 
the info into a file and read it into ethereal, is that true?  This 
would get me around the issues that I am having with ethereal hanging as 
soon at it gets any packets.

Jason

Chad Walstrom wrote:
> Jason Sievert wrote:
> 
>>Hey guys, my company is getting blasted with a virus that I can find
>>nothing about.  None of our latests virus scanners can seem to find
>>it.  It looks to be a single file, nortonav.exe, that is run at
>>startup via the registry in windows.  It is choking our network to the
>>point that nothing can be done at this point.  The hardest hit seem to
>>be windows 2000.  All of the computers do have the latest patches as
>>of today.  It does show up under the task manager as nortonav.exe.  I
>>am still trying to figure out how it gets in and what the traffic
>>looks like.  Has anybody seen anything like this???
> 
> 
> Start with a box you know is infected.  Use a crossover cable or a hub
> so you can capture a tcpdump of the network traffic.  Any machine you
> think is infected, unplug from the network.  Loss of productivity costs
> much less than having to reinstall all of your machines, recovering lost
> data, and tracking down the culprit worm.
> 
> If you're adventuresome, install a "honeypot" box (patched to a level
> that reflects the other boxes being infected) with filemon and regmon
> (set to log output as well).  May sure you have an md5sum/tripwire image
> of the disk for before and after views.
> 
> Next, block all INCOMING and OUTGOING traffic to the network at your
> router except for those protocols you absolutely need (http, smtp, imap,
> pop, ssh).  Stop the infection at your network, don't let it spread
> further.
> 
> So on and so forth.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> Help beta test TCLUG's potential new home: http://plone.mn-linux.org
> Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
> tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list