I have this worm in my network.
It works only on Windows OS. My data server is on Linux with samba server and all the time somebody is copping this worm from windows client to my data server, because the data server is mapped as a network drive.
My question is:
Is there any way to find which machine copy this virus to my server?

I changed my samba log level to 10 (which means debug level) but it doesn't help much.
I can't see the exact IP or NIC hardware address.
Thanks in advanced.

Ctfmon.exe is not a "worm", its a system component. 20 microseconds of googling for "ctfmon.exe" revealed the following:

Frequently asked questions about Ctfmon.exe

I hope this helps.

bakunin

I have read that, but this is what I'm toking about.
WORM_VB.BDN - Description and solution

I wrote a scrip to remove all written here WORM_VB.BDN - Technical details

I started it in all machines in my domain with Group Policy but there is no result for now.
10x for help but I need more.

Possible solution : unmap the network drive, and check the router logs for unsuccessful TCP connections to the data server, but you gotta have network admin with you. Else, you may look recursively in the logs folder, for example : grep -ir "ctfmon.exe" /var/log/*
This will search for any lines with ctfmon.exe string in, and hopefully you will be alarmed with the IP address of the user. On the other hand, have everyone in your office to scan their PCs for viruses and eventually clean them up.

10x everybody.
I found solution for my problem.
I made script to make smbstat > log_$i.log until I press Ctr+C.
Whem delete ctfmon.exe sombody copy it back. When I grep content of all logs, I found the problem PC.
Thank you very much again.