Blasting Blaster.Worm (aka LovSan Virus)

All,

We're a small ISP providing T-1 access to residents of apartment communities. Several of our communities have been hit hard by this recent worm. Trying to identify who's infected is difficult. We've tried logging UDP, TCP and IP in general, but there's nothing telling getting logged. Reports indicate that the Virus will try a DDOS on Microsoft's Windows Update site on 8/16/03, but we saw 1500 small packets per second leaving a site and couldn't log them via the Cisco router using the above method. I assumed they were destined for MS. After the flood stopped (some unknown reason), we traced the flood to a customer using usage stats on our switches throughout the property.

Turns out that the customer was infected with Blaster.Worm (lovsan). So, it sure seems that it's doing more than initially indicated.

Does anyone know exactly what protocol is being used by this "msblaster.exe" or this other shell program created? Any easy way to sniff and log via our Cisco router?

Any advice would help. We've currently got another property with 1352 packets/second leaving a T-1 serial interface that only at 128/255, or half-used. We never see that kind of pps.

Thanks in advance.

Alavan