|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
|May the source be with you, but remember the KISS principle ;-)|
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Chapter 2: Social Aspects of Malware[an error occurred while processing this directive]
(Attention: this is fragments of unfinished work)
1.1 Determination of the type of the incident
1.2 Typical errors of helpdesk analysts
1.2.1. Panic reaction on infections by already known macro viruses
1.2.2. Failure to recommend upgrade older version of the AV package to the current one.
Upgrading problem to the Level 3 for a site that is running an old version of the AV package
1.2.3. Failure to send the LAN Admin and/or the user updated documentation
1.2.4. Failure of the helpdesk analyst to recognize well-know hoaxes
1.2.5. Incorrect description of the problem
1.3 Important Tips
2. Most frequent cases of macro virus related calls
2.1. The AV package is unable to disinfect the document
2.2. User is unable to save file, or file can be saved only into the TEMPLATE directory
2.3. After disinfection file became false positive and produce error messages on login
2.4. File that has extension RTF (in RTF format) is infected
3. Typical calls about boot viruses
3.1. After disinfection virus appears again.
3.2. Computer cannot boot from the hard drive.
4. Typical problems with AV package.
4.1. AV package does not start execution. Errors during login LIke "Cannot execute
external program..." "Out of environment space..."
4.2. Insufficient memory problem on NetWare 3.xx.
5. User asks for additional info
6. Procedure of upgrading the problem to the Level 3 support (the Data Security Analyst level)
In a corporate environment the cost of a virus incident consists mainly of the cost of user downtime. So it is best to resolve the incident at the lowest level of technical support. There are several general recommendations when dealing with computer virus infections:
First the HELPDESK analyst needs to determine the type of incident. If a virus was detected by the AV Package at login, then there may be two possibilities:
Attention: The typical mistake here is to start filling the ticket beginning from the "problem" field. The problem field should be filled as the last field after all information is collected.
Generally, there are four main categories of virus related incidents:
Recommended code name for the "problem" field in the CustQ: False positive for virus <name>
Also there are two very rare categories:
This was already discusses and needs no repetition. Please read the document Anti Virus Defense Secrets/Hoaxes for details on how to distinguish a hoax from a real warning.
I would like to repeat that like natural infections often strike weaker humans. Often the problem with disinfection is as simple as inability to find and download the latest version of software or signature file.
Cases repeat and only if the case is documented properly it can help other analysts, LAN administrators in researching the problem. You Documents about worm/spyware protection should be probably one of the most dynamic documents that helpdesk deals with.
Correct description of the problem greatly simplifies dealing with the problem. It is recommended to use the terminology suggested above in a problem field.
The first task of the HELPDESK is to educate the users. For macro viruses the HELPDESK analyst should send documents MACROVIR.HTM and DOC2RTF.HTM. to all users?.
Cases of macro infections are usually simple and 99% of them involve already known viruses like Concept, WAZZU, Nop, Npad. Such an incident can usually be resolved at the helpdesk level or LAN support personnel level. Please do not upgrade calls to the Data Security Analyst without necessity. The following cases are the most frequent ones:
from the DOS prompt.
If the version is not current, then reinstallation of the package from
Netware95_US should be attempted by LAN support personnel. If
the package is current than local installation
of AV package often solves the problem. To
do this, run the command:
from the server. In most cases this will solve the problem.
There are two different reasons: First, the file extension .RTF and text format RTF (Rich Text Format) in MS Word are quite independent of each other J. Documents with extension .RTF are immune to macro viruses only if they are really in RTF format. If they are just renamed documents in native MS Word format they can be infected and often are. So extensions themselves does NOT guarantee absence of macro virus. Correct conversion to RTF format DO guarantee absence of macro viruses in the document.
For additional information see MACROVIR.HTM
The most common boot virus is Form. The boot virus infection in most cases can be disinfected using the AV-Rescue Disk by the user or the LAN support person.
Check what version of AV Rescue Disk was used for resolving the problem. If not
the latest one, then AV package on this particular
server needs to be upgraded. Image
of latest version of AV Rescue Disk is available from
Netware95_US or IS_US. The name of the file is 03BAV27B.IMG. This file can be sent
by e-mail. After receiving the file use needs to save it on
the local hard drive (for example in C:\TEMP directory). Then
to create new AV Rescue Disk by running
the command wimage c:\temp\03bav27a.img a:
If the latest version of AV Rescue Disk is used then one possible reason is that the user has made the Rescue Disk on a infected computer or (more often) just forget to open the write protect tab on the floppy after creation of the disk. In the latter case the AV Rescue Disk may became infected after user inserts it into his/her workstation. After AV Rescue Disk becomes infected it will reinfect the workstation instead of disinfecting it.
Usually that means that the computer is infected with the Monkey virus. AV Rescue Disk could disinfect this virus. Please recommend using option B after booting from the AV Rescue Disk.
Important: For any problem with the AV package the first thing is to determine if the latest version is used. If the side does not have the latest version installed, they need to upgrade. Non current version is NOT supported and problems with it should NOT be upgraded to the level 3 support. The Site can still use the old version at their own risk. Recommended code name for "problem" field in CustQ: AV package problem.
Usually that can be a problem with the login script, not a problem with the AV package. Calls about the login script problems should be addressed to local LAN support. They should compare fragment of login script that calls AV package with installation specs and correct all errors. Help of a local LAN support person with a strong knowledge of login scripts is highly recommended.
Only if they cannot resolve the problem locally, additional info needs to be collected (see below) and problem can be upgraded to the Level 3
Reason is still unknown. This is most likely a bug or incompatibility error in Windows 95. Solution: Answer "Abort". Rescue disk created is perfectly usable...
If NPROTECT is enabled, then all deleted files will be moved to NPROTECT directory. That means that deleted infected files will be found by F-prot in this directory during control check that is performed after disinfection in this directory and computer will be blocked.
HELPDESK should send relevant document(s) to the user via e-mail or address the Intranet Website with relevant information. Several typical examples:
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September 12, 2017