I have a machine that I infected with msblast.exe and I was trying to find a way to remotely detect to see if the machine is infected. I checked the registry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and I do see the msblast.exe there and I also see that in the system32 directory. I also see it trying to prop out to other machines. Thankfully this is a test lab with just this machine and a nessus scanner. So, I am running that plugins against the machine and it is not detecting if it has the virus or not. It does see that the RPC issues, ID 11808 but isn't detecting for 11818. This is on a Windows XP machine, no SP, straight out of the box. I am scanning with Plug-in Dependencies BTW.
Any ideas?
