Ok, here's the situation:

Windows 2000 SBE (AD, DNS, DHCP, Exchange, and Application Server)
Approx. 100 client machines
One or Two machines infected with some virus

The virus sends out random emails to everyone in the domain and I instructed them to delete them until I find the culprit. Now my question is; how do I find this virus without manually going to each machine and running a virus scan?

Or is this thing even coming from our own domain and I need to start looking at some way to filter this out?

To tell the truth I am noob on this subject. I woud geuss though its probaly some virus someone on the network has downloaded by mistake and is automaticaly sending its self to everyone. I could be wrong just seems like the virus writer being on your network is probaly unlikly. Any way as for tracking them if they are on the network you could try using email headers. Though that never works for me it just shows server maybe i do it wrong. Also sorry This could be way wrong but can you moniter your netwrok activit? Like see what packets are being sent where?

First find out where the email is coming from - inspect the headers. You can find instructions here: http://www.haltabuse.org/help/headers/

What virus software and version are the clients running (full name - ex. mcafee virusscan enterprise 7.1)?

I believe it is a very old version of trendmicro officescan NT... it has not been updated in a while - in fact, I think it is pretty much useless...

Also, half the machines run it, and the other half do not. Please don't ask me why this is, I just got started here as new tech guy/basic server admin...

What would you recommend for AV? I think I need to start talking to my boss about some new AV software...

And also, what would make it easier to manage the network and the data being transmitted through it?

Alright, this is actually good.

If you are new in the environment and are inheriting crap, then you should definetly talk to your supervisor about updating the virus protection (aquiring new licenses). It is basically no use supporting systems which are not updated, patched, and have up to date virus definitions installed. If I were you I would speak to the boss about the urgency of this - and then you can find the virus while distributing the AV software. I would recommend to your boss that you can undertake a small AV project where you interface with vendors, get quotes, find the best option that fits the company, make a recommendation, let money bags decide which they want, then distribute the software to the clients. The AV companies can often be very helpful in this, and the service they provide should be an important part of your selection. Make your recommendation based upon who you'd most like to work with for support and who's application you are most comfortable supporting.

Do you understand how to inspect the headers or could you use a better explanation? Basically you just need to sit down at a machine which received an email (have a couple people save a copy of it for you to inspect), then follow the instructions in the link I gave you for whatever email client you use in your business.

How is software distributed to PC's there? Does everyone have the same base configuration, or do different groups have different applications they have installed and use? I am basically only familiar with a novell network, and it makes software distribution really easy, but I don't know if you will need to do it by hand at each PC or what.

AFAIK (and from what I have done recently), I have to distribute software (like Office, and some other program called Centricity) by hand. When I format machine (gotta love those hard drives that die for no reason at all!) I have been using automated CD's to do all that for me (and save me some time/headaches).

Everyone gets a base configuration with Office, Centricity, basic media players, and file readers like Adobe Reader, etc. Some user do have more specialized software (like a filescanner with a SCSI Scanner) but I can take care of those easily enough.

I know Windows updates are run by Software Update Services (because I got that up and running all by myself just a day ago :D)

What's your favorite choice for AV?

And yes, I do understand the headers thing and I'll see what I can pull up next I am in there.

O and another random thing... getting rid of spyware is EVIL!!!!!!!! I know how to do it (thanks to your article), but this stuff gets worse and worse everyday!!!!

In our environment, Mcafee is very nice. At my work though, we have very different needs from what you would have and I don't know if I would use mcafee for a business your size.

Considering how quickly it would be ideal to have this done, I would just talk to symantec, mcafee, and trendmicro, then look at your options from what they tell you. If you explain your environment a bit, they should make recommendations and be able to tell you why they are the best if they want to sell you their product. Let them do some legwork for you, and try to see if anyone has some features which the others don't.

Ya, spyware is F'ing ridiculous and I wish I could work where Faronics software was used. I am very happy where I work, but I think moving to software like that is still a ways down the road though likely in the future.

BTW, excuse some of my questions - I prefer to ask too many questions up front than to not ask enough and have to wait for an answer later. I just ask if I'm not sure about anything or curious. :)

And props on getting SUS running, we use it, but I know little about it (skimmed some documentation once maybe). :D

Hey, it's alright. It's better to be informed an know what you are facing.

And SUS is really nice - all you do is install it on your IIS server, download all of the patches for your clients, use a quick reg hack or GPO and then the clients automatically download and update the Windows Software. A newer version is coming out called WUS (an ironic name if you ask me) that also includes updates for MSDE, SQL2000, and Office.

www.microsoft.com/wus

Wus, that is funny... :)

Hey IMOG,
I got the headers, but I am a bit confused by it... can I show it to you by PM since it does have a legit email on it???

You could do that, or you could change any sensitive names to fictitious ones and post it here. Either works for me. :)

I'm too lazy... lol

IMOG, YGPM

we use innoculate as our AV currently its constantly scans as a back ground of every few hours as well as it being connected to a server so all the comps update at the same time.

email headers contrain ip the ip address of the sender, if its comeing within the network then it will be easy since its a static ip and not a dynamic one.

what you whould do is find the ip in the header and track it down on the network (assuming you know the ip addresses or have an ip list of all computers on your network).

thats the fastest way I can think.

If you get permission to choose wich AV software to run, i'd go with norton's. I've noticed Mcafee doesn't work near as good as norton's does. So far my comp at work, wich has mcafee has come down with 3 viruses. My one at home with norton's has only had two, and one was that blaster worm from a while ago.

There probably isn't much to call between McAfee and Norton in terms of the actual anti-virus engine but McAfee does come with far better management tools then McAfee, having used both I would go with McAfee now.

i dunno if this info will be much help, but all the computers in the engineering and computing department at the uni i go to use sophos antivirus, and it checks for updates whenever the machine is logged on. as far as i know there is a dedicated av server that handles the updates for sophos, as well as one that uses sus to keep windows up to date. could be a possibility if you could get the licenses and a spare box to play with. (im not a sysadmin or anything like that, just a student thats had a few talks with the techs about their students :)

i dunno if this info will be much help, but all the computers in the engineering and computing department at the uni i go to use sophos antivirus, and it checks for updates whenever the machine is logged on. as far as i know there is a dedicated av server that handles the updates for sophos, as well as one that uses sus to keep windows up to date. could be a possibility if you could get the licenses and a spare box to play with. (im not a sysadmin or anything like that, just a student thats had a few talks with the techs about their students

anyways my two cents were innoculate but norton has proved to be good to, I have heard of sophos but never tried it. This is what you should be looking for when trying to find a good av

- ability to host an av automatic update server or have webauto updates.
- ability to constatly scan in the background with out takeing to much memory
- ability to contact a system admin via email once a virus is detected
- the cost of licensces for your company

contacting a system admin via email is important since a lot of people wont tell you they got a virus because then they get nervous and think they did something bad, this usually ends up them f***ingup even more.

anyways my two cents were innoculate but norton has proved to be good to, I have heard of sophos but never tried it. This is what you should be looking for when trying to find a good av

- ability to host an av automatic update server or have webauto updates.
- ability to constatly scan in the background with out takeing to much memory
- ability to contact a system admin via email once a virus is detected
- the cost of licensces for your company

contacting a system admin via email is important since a lot of people wont tell you they got a virus because then they get nervous and think they did something bad, this usually ends up them f***ingup even more.

thanks for the input everyone... I will keep all of this in mind when I go and do some homework.

UPDATE: I ran a whois on the IP address... and this what I found:

http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-66-169-80-0-1

Should I email their abuse email line and tell them I am receiving virus laced emails from this IP address?

yes maybe you should, if they have a virus on there networks and they dont know it then it will spread and can spread fast.

be polite about it, a gental aproach will give the best results.

if its not them then the best thing to do is get the virus off the network and secure your network.

once thats done you can hope you dont get an other one. If you the you constantly get emails from the ip stated above and its keeps attacking your network that is abuse and get that ip shut down asap.

anways :) have fun if you need me pm me @_@!