If you got a firewall. You could check the logs for connection requests from a LAN ip to a LAN ip. Many worms try to send a copy of themself to the whole subnet of the infected victim. for example 192.168.13.23 255.255.255.0 is infected the worm tries to connect to all computers from 192.168.0-255.1-254 . But if not all adresses of this nets are used, the packet with the worm will be sent to the default gw(which would be the firewall), because the ip adress is not known and produces many logs like this. 192.168.13.23:1025 to 192.168.13.2:445 The nets may differ, but you will find similar logs. The only thing you have to do. Is to find the first entry and you got the ip where the worm started to propagate.
greez jan
