Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 6: Mail Worms

Klez.H Worm

Update

Introduction

Quick Diagnostic and Disinfection

Email Properties and the Method of Distribution

Damage

Startup and Propogation

Local and Network Drive copying

Necessary Measures  -- Please read !!!

Symantec Removal Tool

Acknowledgments

References

Supplement 1: Attachment


 

Update

[May 12, 2002] Almost a month after it started spreading, the Klez.H worm slowing down, but managed to entered the "evil troika" list of most common PC viruses along with Magistr and Sircam. Moreover, the worm's technique of forging the address of the sender on each infected e-mail message is creating a stream of useless warnings from gateway antivirus software, informing the wrong people that they are infected.  Nothing can be done with it: this is a weakness of the SMTP protocol that does not require authentication.

The false addresses are slowing disinfections. The worm definitely data mines files for e-mail addresses. If Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

Recipients of the virus-laden e-mails, not understanding that the "From" information is virtually always phony -- or even that they have received a virus -- have been clogging networks with angry and confused e-mails that are causing a great deal of cyber-havoc. Some Internet users have recently received an e-mail message from a dead friend. Others have been subscribed to obscure mailing lists (if Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.). Some users reportedly have lost their Internet access after being accused of spamming, and still others have received a letter that look like e-mailed pornography from a person that cannot believe did so. And actually he never did. Klez e-mails' subject lines are randomly chosen from a pre-programmed list of about 120 possibilities, including "Let's be friends," "Japanese lass' sexy pictures," "Meeting Notice," "Hi Honey" and "SOS."

Klez also sends fake "returned" or "undeliverable" e-mails, advising the supposed sender that their original, refused e-mail is contained in the attachment. Clicking on the attachment triggers the virus.

In many cases, antivirus software protecting a company's e-mail gateways is sending out a response to each infected e-mail inadvertently sent out by a victim -- but that warning is going to the wrong person. So, in effect, you're getting twice the fun you would normally get.

As of  May 12, 2002 there's no indication that the worm is dying down. It looks like it might repeat Magistr feat of longevity  and will stay active for a prolong period of time. Currently 5-10 messages a day is detected on the e-mail gateway.

The virus can launch automatically when users click to preview or read e-mails bearing Klez on systems that have not been patched for a year-old vulnerability in Internet Explorer (if they are viewing for example their Hotmail, Yahoo or other WEB-mail account), Outlook and Outlook Express. Klez only affects PCs running Microsoft's Windows operating system.

Please note that the attachment that contains the worm has the size from 100K to 150K.

Introduction

The worm exists in several modifications. The version diagnosed as Klez.H by Symantec and as Klez.G by Trend Micro was discovered April 18, 2002 around noon and as of 3:24 04/18/2002 we have at least two infected users.  Both variants of Klez, mentioned above are modified versions of Klez.E.

The Klez.h variant, infects PCs whose users open the attachment to an infected e-mail. Confusing matters, the e-mail will have a random "from" address, selected from various sources on the original victim's hard drive. And it pairs this bogus sender's address with one of more than 120 different subject lines.

The worm is capable of spreading by email and network shares. In Outlook the worm uses an Internet Explorer security breach (IFRAME vulnerability) to start automatically when an infected message is viewed. The virus to be capable of infecting EXE files on all available computer disks. It uses a companion type of infection: when infecting an EXE file, the worm overwrites it and creates a backup file with the same name as the infected file, but with a random extension with hidden, system and read-only attributes. When the infected file is run, the worm extracts the original program from a backup file with its original name plus 'MP8' and runs it. After the program terminates, the worm deletes it.

When a user opens the attachment, the virus starts up its own e-mail engine and mass mails itself to e-mail addresses found in various files on the PC, using a source address culled from those addresses. Klez.h can also send out a random file from the PC as an attachment, along with the e-mail that carries the worm, potentially passing confidential information.  In some instances, the worm also drops one of several other viruses, including the destructive CIH,

It also tries to remove any active antivirus software from the system.

As of April 18. 2002 Trend Micro information is limited to the older variant: WORM_KLEZ.E - Description and solution but nevertheless our e-mail gateway software (Scanmail) does has a limited capability to catch the new variant. I hope that it will be able to catch all of them early next week.

Our current information about the worm based mainly on information from Symantec and my and Michael Cloutier experience with one infected PC that I found today in Mount Olive.

F-secure has a special tool that can be used for disinfection and is available from:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip

Please note that due to incorrect settings of Microsoft File Explorer on the new "standard" PCs with Windows 2000 it hides the extension. You need to change this setting manually to see a full names of the files (with extensions)

If the user has admin right to the PC that the worm disables the current version of F-secure, so F-secure is useless against any new variants that are not alreay in the database.

As a temporarily measure, effective immediately, I blocked all inbound and outbound .EXE attachments until Monday April 22, to keep the number of infections under control until AV vendors debug the recognition of those new variants.

Renaming of an .EXE attachment (or zipping it) still works and should be used if you need to send one. Please communicate this to users.

Luckily enough it does not attach any user documents to the infected letter. To avoid becoming a victim of this worm users need to be especially vigilant for the next couple of weeks and check properties of the executable attachments they receive (using view) before clicking. If attachment is an Win32 executable file and come from an unknown or known but unexpected sender they should avoid clicking on it and contact the sender first.

A letter for users about this worm was already distributed by the helpdesk.

Quick Diagnostic and Disinfection

If a user has admin rights to the PC the worm usually disables F-secure (and several other AV programs) so in this case F-secure is useless against those new variants.

In case the user does not have admin rights F-secure may survive, but cannot be considered as a reliable test: even if F-secure does not find any infected executables the PC still can be infected because signature files can be outdated.  In this case sysadmin needs need manually update F-secure files using Fsupdate.exe from the F-secure server in Europe: the server in the USA can be and in case of major virus infection usually is outdated. Just download it into F-secure directory and run it. 

Quick diagnostics of the worm can be done via Windows NT/200 task list. If an executable with the name starting with wink (for example winkkd.exe) is running, then the PC is infected with the worm.

F-secure has a special tool that can be used for both diagnostic and disinfection and is available from:

ftp://ftp.europe.f-secure.com/anti-virus/tools/kleztool.zip

Please note that due to incorrect settings of Microsoft File Explorer on the new "standard" PCs with Windows 2000 it hides the extension. You need to change this setting manually to see a full names of the files (with extensions).

Email Properties and the Method of Distribution

Method of distribution is a typical for worms, but looks like better debugged. This worm searches the Windows address book, the ICQ database, and local files for email addresses (only the last one usually applied for the corporate environment -- Internet cache usually contain a lot of e-mail addresses from an internal WEB server).  The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.  How successful it was in Lotus Notes environment is unclear.

The size of the worm is approximately 90K.  The sample that I got has double dots but that might be an error in creation of double extension (name is definitely random):

    04/17/2002 09:51p 88,899 cancer..exe

If you try to view the attachment properties (which should became a standard practice for everybody starting from today; if the properties show this is an Executable file format never ever click) you will see that the worm' executable has all the section with Version Information stripped (see example of real windows executable header below) has 4 sections is compiled for i386 architecture, timestamp 0x3CB78EB8 and stripped Relocs, line nums and local syms.

Win32 Portable Executable File Format

File Header (Main Menu)

Machine 0x014C (i386)

Number of Sections 0x0004

TimeDataStamp 0x3CB78EB8

PointerToSymbolTable 0x00000000

NumberOfSymbols 0x00000000

SizeOfOptionalHeader 0x00E0

Characteristics 0x010F

RELOCS_STRIPPED

EXECUTABLE_IMAGE

LINE_NUMS_STRIPPED

LOCAL_SYMS_STRIPPED

32BIT_MACHINE

The full header for the sample of the worm that I got is reproduced in the Supplement 1.  Please compare it with a regular Windows 2000 executable:

Win32 Portable Executable File Format

Version Information File Header (Main Menu)
ProductName Microsoft(R) Windows (R) 2000 Operating System

CompanyName Microsoft Corporation

FileDescription Welcome to Windows NT

InternalName Welcome

FileVersion 5.00.2134.1

OriginalFilename WELCOME.EXE

ProductVersion 5.00.2134.1

LegalCopyright Copyright (C) Microsoft Corp. 1998-1999

 

Machine 0x014C (i386)

Number of Sections 0x0003

TimeDataStamp 0x37ECAF3C

PointerToSymbolTable 0x00000000

NumberOfSymbols 0x00000000

SizeOfOptionalHeader 0x00E0

Characteristics 0x030F

RELOCS_STRIPPED

EXECUTABLE_IMAGE

LINE_NUMS_STRIPPED

LOCAL_SYMS_STRIPPED

32BIT_MACHIN

 

 

Damage

Most manages is connected with confusion created by using fake "from" address.  Recipients of the virus-laden e-mails, usially do not understand that the "From" address is virtually always phony  (and often do not suspect that they have received a virus). Many naive users are clogging mailboxes with angry and confused e-mails that are causing a great deal of cyber-havoc.

Some Internet users have recently received an e-mail message from a dead friend. Others have been subscribed to obscure mailing lists (if Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.). Some users reportedly have lost their Internet access after being accused of spamming, and still others have received a letter that look like e-mailed pornography from a person that cannot believe did so. And actually he never did.

Klez e-mails' subject lines are randomly chosen from a pre-programmed list of about 120 possibilities, including "Let's be friends," "Japanese lass' sexy pictures," "Meeting Notice," "Hi Honey" and "SOS."

Payload: This worm infects executables by creating a hidden copy of the original host.exe file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

Large scale e-mailing: This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.  Mail can also contain two attachments: one of the text document. Sometimes it contains the description of the phone disinfection tool for Klez.E.

Startup and Propogation

When this worm is executed, it does the following:

It copies itself to \%System%\Wink<random characters>.exe

NOTE:
%System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the value

    Wink<random characters> %System%\Wink<random characters>.exe

to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active AV-related processes. The virus searches for active antivirus processes applications (anti-viruses, see the list below) and forces them to unload using a Windows "TerminateProcess" command. The worm also removes the startup registry keys used by antivirus products and deletes checksum database files including related to F-prot and Kasperski antivirus (F-secure is not an independent AV scanner: it uses combination of two AV engines F-prot and Kaspersky). 

Local and Network Drive copying

The worm copies itself to all local, mapped, and network drives as:

The worm enumerates network resources and copies itself to remote drives twice - once as an executable file with single or double extension, and second time as a RAR archive that can have single or double extension as well. The RAR archive contains the worm's executable file with one of the following names:

 setup
 install
 demo
 snoopy
 picacu
 kitty
 play
 rock

 

The first extension of the RAR archive or of the worm's executable can be:

 .txt
 .htm
 .html
 .wab
 .doc
 .xls
 .jpg
 .cpp
 .c
 .pas
 .mpg
 .mpeg
 .bak
 .mp3

 

The second or the only extension of the worm's executable file can be:

 .exe
 .scr
 .pif
 .bat

 

The dropped RAR archive and worm's executable file name is either random or belongs to a file, that a worm found on a host system. So it can be for example QQ.PAS.EXE , KERNEL.MP3.PIF , DOCUMENT.SCR and so on.

Necessary Measures

1. The worm tries to exploit a known  Internet Explorer hole if the user access Hotmail, Yahoo mail or other WEB-mail provider. You should recommend users to update Windows and Internet Explorer. Users that have admin rights can do this themselves by going to Start menu/Windows Update.

2. Network shares should be disabled or password protected.

3. Desktop AV software (F-secure) should have virus definitions dated May 10 or later.

Symantec Removal Tool

You can also use free tool from Symantec to check for the worm W32.Klez Removal Tool . Here is a relevant info:

W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most case, the tool will be able to remove the infection.

What the tool does:

The W32.Klez Removal Tool does the following:


NOTES:

Command-line switches that are available for this tool
 

Switch Description
/HELP, /H, /? Displays the help message.
/NOFIXREG Disables registry repair (the use of this switch is not recommended).
/SILENT, /S Enables silent mode.
/LOG=<path name> Creates a log file where <path name> is the location in which to store the tool's output. By default, this switch creates the log file FixKlez.log in the same folder from which the removal tool was executed.
/MAPPED Scans mapped network drives (the use of this switch is not recommended--see notes).
/START Forces the tool to start scanning immediately.
/EXCLUDE=<path> Excludes the specified <path> from scanning (the use of this switch is not recommended).


NOTE: The use of the
/MAPPED switch does not ensure the complete removal of the virus on the remote computer because:

For these reasons, you should run the tool on every computer.

To obtain and run the tool

NOTE:
You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
 


NOTE:The removal procedure might be unsuccessful if Windows Me/XP System Restore was not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail. If W32.Klez.gen@mm was activated before you ran the removal tool, in most cases you will not be able to start Norton AntiVirus (NAV). The instructions for running NAV from the command line and reinstalling NAV are in the removal section of the W32.Klez.E@mm writeup.

When the tool has finished running, you will see a message that indicates whether the computer was infected by variants of W32.Klez@mm and/or variants of W32.ElKern. If an infection was removed, the program displays the following results:


The digital signature

FixKlez.com is digitally signed. Symantec recommends that you use only copies of FixKlez.com that were downloaded directly from the Symantec Security Response download site. To verify the authenticity of the digital signature, follow these steps:


System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by other programs. As a result, there is the possibility that you could accidentally restore an infected file, or that online scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:


For additional information and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

How to run the tool from a floppy disk


NOTE: If you are using Norton AntiVirus (NAV) 2000/2001/2002, in most cases, after you remove the virus you must uninstall and reinstall NAV. For instructions on how to do this, read the document How to restore Norton AntiVirus after removing W32.Goner.A@mm or W32.Klez.gen@mm.

 

Acknowledgments

I would like to thank Michael Cloutier who helped me to enhance e-mail gateway security and was the first to found the description of the worm on the Symantec site.

References

 

 

Supplement 1: Attachment

Full header listing:

Win32 Portable Executable File Format

File Header (Main Menu) Optional Header (Main Menu) Data Directory (Main Menu) Section Table (Main Menu)
Machine 0x014C (i386)

Number of Sections 0x0004

TimeDataStamp 0x3CB78EB8

PointerToSymbolTable 0x00000000

NumberOfSymbols 0x00000000

SizeOfOptionalHeader 0x00E0

Characteristics 0x010F

RELOCS_STRIPPED

EXECUTABLE_IMAGE

LINE_NUMS_STRIPPED

LOCAL_SYMS_STRIPPED

32BIT_MACHINE

 

Magic 0x010B

linker version 6.00

size of code 0xC000

size of initialized data 0x89000

size of uninitialized data 0x0

entrypoint RVA 0x8458

base of code 0x1000

base of data 0xD000

image base 0x400000

section align 0x1000

file align 0x1000

required OS version 4.00

image version 0.00

subsystem version 4.00

Win32 version value 0x0

size of image 0x96000

size of headers 0x1000

checksum 0x0

Subsystem 0x0002 (Windows GUI)

DLL flags 0x0000

stack reserve size 0x100000

stack commit size 0x1000

heap reserve size 0x100000

heap commit size 0x1000

loader flags 0x00000000

RVAs & sizes 0x10

 

EXPORT rva: 00000000 size: 00000000

IMPORT rva: 0000D620 size: 00000064

RESOURCE rva: 00095000 size: 00000010

EXCEPTION rva: 00000000 size: 00000000

SECURITY rva: 00000000 size: 00000000

BASERELOC rva: 00000000 size: 00000000

DEBUG rva: 00000000 size: 00000000

COPYRIGHT rva: 00000000 size: 00000000

GLOBALPTR rva: 00000000 size: 00000000

TLS rva: 00000000 size: 00000000

LOAD_CONFIG rva: 00000000 size: 00000000

unused rva: 00000000 size: 00000000

unused rva: 0000D000 size: 000001EC

unused rva: 00000000 size: 00000000

unused rva: 00000000 size: 00000000

unused rva: 00000000 size: 00000000

 

01 .text VirtSize: 0000BA4A VirtAddr: 00001000

raw data offs: 00001000 raw data size: 0000C000

relocation offs: 00000000 relocations: 00000000

line # offs: 00000000 line #'s: 00000000

characteristics: 60000020

CODE MEM_EXECUTE MEM_READ

02 .rdata VirtSize: 00001022 VirtAddr: 0000D000

raw data offs: 0000D000 raw data size: 00002000

relocation offs: 00000000 relocations: 00000000

line # offs: 00000000 line #'s: 00000000

characteristics: 40000040

INITIALIZED_DATA MEM_READ

03 .data VirtSize: 00085E6C VirtAddr: 0000F000

raw data offs: 0000F000 raw data size: 00005000

relocation offs: 00000000 relocations: 00000000

line # offs: 00000000 line #'s: 00000000

characteristics: C0000040

INITIALIZED_DATA MEM_READ MEM_WRITE

04 .rsrc VirtSize: 00000010 VirtAddr: 00095000

raw data offs: 00014000 raw data size: 00000010

relocation offs: 00000000 relocations: 00000000

line # offs: 00000000 line #'s: 00000000

characteristics: 40000040

INITIALIZED_DATA MEM_READ

 

Resources (Main Menu)

ResDir (0) Named:00 ID:00 TimeDate:00000000 Vers:0.00 Ch

 


Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017