Just a follow up.  Its a trojan.  Connecting to a irc server at 
johnsh1.merseine.nu.  Its a new virus.  No know places have it taken 
apart yet.  Mcafee has been working on a new dat for it, I have heard 
that they are on their forth version of it and still have not found out 
how to clean it up right yet.  I still do not know how it infects the 
other computers on the network.  More to come later.

Jason

Jason Sievert wrote:
> Can you help me with the tcpdump command?  I heard that you could output 
> the info into a file and read it into ethereal, is that true?  This 
> would get me around the issues that I am having with ethereal hanging as 
> soon at it gets any packets.
> 
> Jason
> 
> Chad Walstrom wrote:
> 
>> Jason Sievert wrote:
>>
>>> Hey guys, my company is getting blasted with a virus that I can find
>>> nothing about.  None of our latests virus scanners can seem to find
>>> it.  It looks to be a single file, nortonav.exe, that is run at
>>> startup via the registry in windows.  It is choking our network to the
>>> point that nothing can be done at this point.  The hardest hit seem to
>>> be windows 2000.  All of the computers do have the latest patches as
>>> of today.  It does show up under the task manager as nortonav.exe.  I
>>> am still trying to figure out how it gets in and what the traffic
>>> looks like.  Has anybody seen anything like this???
>>
>>
>>
>> Start with a box you know is infected.  Use a crossover cable or a hub
>> so you can capture a tcpdump of the network traffic.  Any machine you
>> think is infected, unplug from the network.  Loss of productivity costs
>> much less than having to reinstall all of your machines, recovering lost
>> data, and tracking down the culprit worm.
>>
>> If you're adventuresome, install a "honeypot" box (patched to a level
>> that reflects the other boxes being infected) with filemon and regmon
>> (set to log output as well).  May sure you have an md5sum/tripwire image
>> of the disk for before and after views.
>>
>> Next, block all INCOMING and OUTGOING traffic to the network at your
>> router except for those protocols you absolutely need (http, smtp, imap,
>> pop, ssh).  Stop the infection at your network, don't let it spread
>> further.
>>
>> So on and so forth.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
>> Help beta test TCLUG's potential new home: http://plone.mn-linux.org
>> Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
>> tclug-list at mn-linux.org
>> https://mailman.real-time.com/mailman/listinfo/tclug-list
> 
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> Help beta test TCLUG's potential new home: http://plone.mn-linux.org
> Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
> tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list