On Sun, 18 May 2008 05:07:31 -0700 (PDT), aljuhani wrote:

> We can only suggest available tools.

Hi everyone,

I agree that scanning probably won't work because the software runs on a
windows system.

Looking at the disk from another system might work but that would take
daily removal of the hard drive and I'd have to know what to look for
anyway.

I was asking here because I am assuming that the network activity back to
the mother ship would be the weak point in detecting this software.

I'm still convinced there will likely be signature network activity
pinpointing the use of this software - which - by the way - all of you
should also check for. But, what do we check specifically for? And how?

Googling for "Spector network activity" I found this article
http://www.interhack.net/pubs/spector/ which said there is a certain
connection to the domain U2A1376GF-43TY-245B.COM with this software.

May I ask how you would recommend a novice look for connections (perhaps in
the past) to this domain and how to block them moving forward?