Now that you have an idea of what this worm does and how it operates, you can start the Windows Performance Recorder and collect networking I/O activity. Then, double click and execute the worm, sit back, wait for 30 seconds, and then save the trace file for analysis. Due to the nature of how this worm spreads, there is usually heavy network activity and bandwidth usage associated with worms.
- [Narrator] Since you won't have the Worm to run on your own computer, we will go over the steps that were done to collect data on my machine. First, the Windows Performance Recorder UI menu was started and then the CPU, disk and networking usage boxes were marked. The Windows Performance recorder was then started and immediately after it was - the Worm was launched. Some Outlook messages popped up while the collection took place and after the Worm was done emailing itself to all of the contacts in the Outlook address book, a comment was put and the save button at the bottom right was hit.
The generated trace file and the associated symbol information was then named WPT Worm Analysis. These files are included in the exercise files folder for those of you who have access. And this .NGENPDB folder that was generated contains the symbols which lets us see Windows functionings that are called as a result of the worm.