Everything I read about the Storm Worm and similar just scares the piss out of me. Is there any way for a normal sysadmin type to detected a Storm botted machine? We are familiar with the likes of rootkit revealer, and when we have had suspicions about a particular box, we run that, Kaspersky, Symantec, and Bitdefender. We haven't found anything definitive, but we have found:
— one machine that prevents Kaspersky from being installed on it. The install hangs on an access violation of a directory newly created by the Kaspersky installer during the install. Symantec, Rootkit Revealer, and Bitdefender find nothing on this machine.
— one machine that has entries deep in the user's temp directories which can't be deleted. These were found by Rootkit Revealer, but we haven't been able to remove them.
We've got the machines segregated for now, and are wondering what we can do to get a handle on this. Help me, my geek brethren."