Behavior of WORM in the LAN

One of the behaviors of the WORM in the network is broadcasting to all devices in the network.

As you know VLANing can create broadcast domain, so few PCs (PC’s in the same VLAN) will be infected by WORM. But some network may be using FLAT topology so all devices in the network (could be more and more) infected by the WORM .WORM not just infect PC but also cause some problems in switch operations.

When broadcast traffic comes to switch port, cordially it processes by the CPU. Now if so many packets send to the switch port during short time, CPU must process all the packets and it cause to increase CPU usage up to 99%, as a result switch unable to do switching normal traffics (packet switching) and network will be DOWN. By using “solarwinds/cpu usage” you can monitor and notify about this behavior of the broadcast traffic.

Then you need to use traffic sniffer such “Wireshark” to find the PC that has WORM (PC that send WORM to the network) and remove it from network by shut down the switch port. (If you need more info about how to find the infected PC please leave message here)

Leave a Reply

Your email address will not be published. Required fields are marked *