ARP Broadcasts - Help please Urgent

[Minus Human]

Hope somebody can help here. We have rather big network i'm talking about 5000 PC's easy.

The Problem is we are being hit by the Korg virus like crazy. ARP Broadcasts are at 90%. We are following the manual path of capturing the info and fixing the PC's shown to be most prominent. Although this is not as effective as you can well imagine.

Do you guys have any better suggestions how this can be solved more efficiantly??

Help would be really great

Thanks

Minus Human

[CoffeeFiend]

If you can remotely enumerate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run entries (by means of scripting or maybe some admin program such as Hyena or such) and look for an entry called WinUpdate (starts C:\WINDOWS\System32\[random name].exe). That should identify them, but the key is not just removal but patching as well. Hopefully you can add the security patches in your login scripts, or start the processes remotely (scripted, WUS, ...) Patching is a big issue in corporate networks like that, you have to have something in place to prevent things from happenning (again), but you must already know that Another thing that would be really helpful is making sure all your client PCs have updated definition files (update check at login script or whatever you want). If you have a half decent AV and that the definitions are up to date, things like that shouldn't happen.