When a Trojan or worm has compromised a network, the most common sign is a new previously unknown symptom or email appearing at two or more connected PCs at the same time. With an email worm, the same strange email message, with an attached file or web link, starts appearing all over the corporate network at once. A message with exactly the same subject line starts appearing in everyone’s inbox from several different users, including users who don’t normally send a lot of email. The email server and network could start to slow down under the strain of sending thousands of emails all at once. A firewall might report a sudden onset of either incoming or outgoing traffic on a rarely used TCP/IP port (this is how the RingZero Trojan was first noticed).

On a single PC, a common sign is a sudden decrease in processing speed soon after downloading a new file, reading an unexpected email, or visiting a new web site. The machine appears sluggish (CPU processing is near 100 percent), with slow mouse cursor updates. The computer seems speedy during the startup process, but quickly becomes sluggish again after all services are started. Other symptoms include strange error messages that don’t indicate which program caused them, new programs in memory, new files with current modification dates, an inverted screen, a CD-ROM tray opens and closes by its self, or programs starting and ending by themselves. All of these are signs and symptoms anyone would notice if a worm or ...