[plug] Nasty windows viruses (somewhat on topic, really!)

[Cameron Patrick]

Hi,

I recently noticed high CPU usage and network traffic to my desktop at
home without any good reason.  Tcpdump showed lots of Samba traffic to
my brother's machine, and said brother couldn't think of a good reason
why.  I suspect a Windows virus or trojan or some such, but am at a
loss with regards to what to do about it.  I've shut down Samba on my
machine and the server (because they allow passwordless write access
to a lot of stuff that they really really shouldn't -- I will fix this
before turning Samba back on) and have removed network access from my
brother's machine for now.

<Linux content>
So what I really want to know is, how can I find out what files it was
poking around in and for how long it's been going on (presumably by
looking at Samba logs, but I can't find anything equivalent to ftpd's
xferlog or apache's access.log)?
</Linux content>

<maybe Linux content>
How can I find out what the infected machine was running?  Should I
use a Linux-based virus scanner to inspect it off a Linux boot disc?
Alternatively, what are good Windows virus scanners?  Is there a
better of cleaning up any infections than backing up anything
important, wiping the whole disc (and installing Linux on there :-P)?
</maybe Linux content>

<non-Linux content>
What do Windows viruses/trojans do to machines over SMB? Is this
machine also likely to have been sending out spam too?
</non-Linux content>

Utterly unrelated question while I'm here: is there a flag to rm to
tell it to remove files from directories chmod'ed read-only?
Something like 'rm -rf --try-harder'...

Cheers,

Cameron.