The following tool by Extol can be used to detect MSBlaster, Nachi (aka Welchia) and Sobig-F worm traffics at network level to identify IP Addresses of infected hosts. However, it must be run on management port of the switch.

General instructions:

1. Make a CD out of the iso image.
2. Boot a standard PC with the tool.
3. Login as 'root' (no password required)
4. Type 'tail -f /home/alert"
5. Alternatively, if there are too many alerts, use "more /home/alert".

Download http://www.mycert.org.my/tools/extol/FreeSBIE.ISO.tar.gz (size 60Mb*)

MD5 (FreeSBIE.ISO.tar.gz) = c7c87b9fc86582512d5c8d1ecf18e1c7

The file FreeSBIE.ISO.md5 contains the MD5 sum.