Need to detect email usage.. ideas?

[MagnumXL]

I have an odd problem. One of the computers I'm responsible for got a virus alert for a worm in a .eml file. The odd thing is no email access is readily available on that computer. The computer can be used by alot of people non of whom need to access email or even the interneet from it. The computer does however need to access a server on the LAN. I removed outlook express when the computer was installed and no other email has been installed as far as i can tell. I would like to use autoit to monitor or even supress email activity on that computer.

Any ideas? How would you approach the problem?

[Zedna]

I think the best way is to use some Firewall (may be software personal firewall) and block some services.

Edited June 5, 2007 by Zedna

[lod3n]

Use group policy (if you have AD) or a local security policy to prevent the execution of everything except the allowed programs for non-administrators.

But that's probably not your problem. The Nimda worm creates copies of the README.EML file all over an infected computer.

Read this whole thing: http://www.f-secure.com/v-descs/nimda.shtml

Your real problem is lack of regular Windows Updates, at least on that computer, and possibly your whole network. That computer accesses the Internet and your LAN. So while it's possible that one of your users mistakenly downloaded the .eml file from a compromised server somewhere on the internet, it's also possible that this computer was infected by another computer on your LAN.

You need to run a virus scan with an updated definition on every computer in your LAN, to be safe, and then run Windows Update on each. Good luck, and I'm glad I'm not you.