Look in your AD event logs for a computer that's trying to constantly login to the admin account and a few others. It's trying brute force to elevate security. You'll see them as errors in your security log. That list of computers are the ones infected and propagating.
Good luck. Jason From: Kelsey, John [mailto:[email protected]] Sent: Friday, November 20, 2009 7:34 AM To: NT System Admin Issues Subject: Conficker Help! Looks like we're getting hit the Conficker this morning. Sophos is reporting several hundred 'conficker detected/cleaned' messages, so at least its catching it...BUT....how do I determine the source of the infection? Something I can look for with wireshark or something? Apparently there are some unprotected machines on the network. Any suggestions are welcome! ******************************* John C. Kelsey DuBois Regional Medical Center *: 814.375.3073 * : 814.375.4005 *: [email protected]<mailto:[email protected]> ******************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ------------------------------------------------------------------------------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
