We have a fileserver that is having .xls files and .pdf files being converted to .exe files. Obviously its some kind of virus infection. I am trying to use wireshark to find the host that is writing the .exe files. Unfortuately the capture is large for just a short time. To make matters worse another group is scanning the drive for viruses. I have filter out the scanners, but I am trying to create a filter that might show a file being saved, renamed or created. I see a lot of different requests.
NT Create Andx Request seems to be a file access but no writes.
Anyone got any thoughts on how I can filter this?