> I have a machine that I infected with msblast.exe and I was trying to > find a way to remotely detect to see if the machine is infected. I > checked the registry, > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and I > do see the msblast.exe there and I also see that in the system32 > directory. I also see it trying to prop out to other machines. > Thankfully this is a test lab with just this machine and a nessus > scanner. So, I am running that plugins against the machine and it is not > detecting if it has the virus or not. It does see that the RPC issues, > ID 11808 but isn't detecting for 11818. This is on a Windows XP machine, > no SP, straight out of the box. I am scanning with Plug-in Dependencies
might need in plugins prefs, in logins, in smb: an administrator level username/password combo.
