Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13

Chapter 7: Network worms

SirCam Worm coverage comparison

All information below was collected on Sunday, June 22, 2001. The preface was updated later, but AV description were not. This is important to recreate historical truth about the quality of coverage by AV vendors.

***** Symantec misses some facts provided by Kaspersky description (see below), but get most facts rights and also provide an important information that can be found nowhere else. For example Symantec was one of the few AV vendors that provided information about how worm uses registry keys can help to determine the extent of the damage.  Later they even provided a small downloadable free disinfector for home users. The most important omission is that they hide the fact the worm cannot send any e-mail on Win2000 (and Win NT) systems due to a flaw in the code. They also provided information about Scmx32.exe and office.exe  Startup folder:

7. There is a 1 in 33 chance that the following actions will occur:

• The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
• The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key
  
  HKEY_CURRENT_USER\Software\Microsoft\
  Windows\CurrentVersion\Explorer\
  Shell Folders\Startup

**** I-Worm.Sircam, virus description [VirusList.com®] It looks like this time Kaspersky provides a quality information, but it misses the content of registry keys. 

*** F-secure info is decent, but lucks both depth and clarity (They improve is as of July 24).

** Sophos article Sircam - are you protected Sophos information is weak

* McAfee.com - W32-SirCam@MM Help Center Initial McAfee coverage was very weak  Later it was substantially improved and as of July 27 is compatative with Symantac and Kasperski. Still the list of documents that the worm send out is wrong. 

- Nikolai Bezroukov

Kaspersky

http://www.viruslist.com/eng/viruslist.asp?id=4225&key=00001000130000100088

This is a dangerous worm that spreads via the Internet and local network. The worm itself is a Windows application written in Delphi about 130K in size. While spreading, the worm may append to its file an additional DOC, XLS, ZIP and other files (see below), so the attached file length can be more than 130K.

Upon being executed (by a clicking on the attached file for instance), it installs itself into the system, then sends infected messages (with its attached copy), infects local network computers (if there are drives shared for full access), and depending on system date, runs its payload routine.

E-mail Spreading

The worm sends itself from infected machines as an attached file with a variable name and double extension:

filename.ext1.ext2

where "ext1" can be one of the following variants: DOC, XLS, ZIP, or EXE.

The worm from the following variants randomly selects the "ext2" extension: PIF, LNK, BAT, COM. For example:

feb01.xls.pif
normas.doc.bat

The "filename.ext1" comes from the original files that are located on an infected machine. The worm looks for a "ext1" file on a machine and obtains its name as an attach name. The worm then obtains the file contents and appends them to itself, and sends the result. So the infected files that are sent out of an infected machine contain two parts: 1: the worm's EXE code; 2: appended extra data that are a randomly selected DOC/XLS/ZIP/EXE file from an infected machine. This appended file is then used by the worm to disguise its activity (see below).

As a side effect such an "appended file" spreading method may cause confidential info disclosure.

The worm message Subject is "filename" as above (exactly the "filename" of the attached file).

The Body can be in two languages: English and Spanish. The first and last lines of the message body are always the same:

first line:	Hi! How are you?	Hola como estas ?
last line:	See you later. Thanks	Nos vemos pronto, gracias.

The variants of text between these lines are:

I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send to you
This is the file with the information that you ask for

Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaciСn que me pediste

The worm obtains a victim's e-mail addresses by scanning files that may contain them: SHO*, GET*, HOT*, *.HTM, *WAB, and some others. The result of the search is then stored by the worm in fake DLL files in a system directory:

SCD.DLL file contains list of "ext1" files
SCH1.DLL, SCI1.DLL files contain a list of e-mail addresses located in scanned files.

There can also be SCT1.DLL and SCY1.DLL files found in a system directory, the worm stores additional data there.

Installation to System

The worm copies itself to:

1. \RECYCLED directory on a Windows drive with the SirC32.exe name, for example:

   C:\WINDOWS\
   C:\RECYCLED\SirC32.exe

2. Windows system directory with the SCam32.exe name.
3. Windows directory with the ScMx32.exe name.
4. Windows start-up directory with the "Microsoft Internet Office.exe" name.

Note that not all these steps are performed by the worm upon the first start-up - some of the files are created there depending on different conditions.

The attributes of all these files are then set to "Hidden".

Two first files then are registered in the system-registry auto-run keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
══Driver32 = %windows system directory%\SCam32.exe

HKCR\exefile\shell\open\command
══SirC32.exe

The worm then extracts an appended "decoy" file (see above) to the Windows TEMP directory, with the "decoy" file having the "filename.ext1" name. The worm then opens this file with WINWORD.EXE or WORDPAD.EXE, EXCEL.EXE, WINZIP.EXE depending on "ext1".

The worm also creates additional registry keys and stores its internal data in here, with the name of the key being HKLM\SOFTWARE\SirCam.

Network Spreading

To spread over a local network, the worm enumerates all network resources (obtains all shared directories on remote machines), and then copies itself to here. If there is a "\recycled" directory in the victim's shared directory, the worm copies itself to this directory with the SirC32.exe name:

\recycled\SirC32.exe

The worm then appends to the end of the AUTOEXEC.BAT file the following command:

@win \recycled\SirC32.exe

If there is a "\Windows" directory, the worm renames the RUNDLL32.EXE file to the RUN32.EXE name, and then overwrites the original RUNDLL32.EXE with its own copy.

The worm then sets hidden attributes to its copies.

Payload

Depending on the system date and time, the worm in one case out of 20, randomly deletes all files in the Windows directory and removes all directories contained here.

Upon each start-up in one case out of 50, the worm randomly creates a SirCam.Sys file in the root of the current drive and writes one of following texts there:

[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright ╘ 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

It appears to be that the worm writes these texts many times to fill free disk space.

These strings (as well as most of the other text stings) are encrypted in the worm's body.

Symantec

SARC Write-up - W32.Sircam.Worm@mm

It creates copies of itself as %TEMP%\<File name> and C:\Recycled\<file name>, which contain the attached document. This document is then launched using the program registered to handle the specific file type (For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in you default zip program such as WinZip.)

NOTE: The term %TEMP% is the Temp variable, and means that the worm will save itself to the Windows Temp folder, whatever its location. The default is C:\Windows\Temp.

2. It copies itself to C:\Recycled\Sirc32.exe and %System%\Scam32.exe.

NOTE: %System% is also a variable. The worm will locate the \System folder (by default this is C:\Windows\System) and copy itself to that location.

3. It adds the value

Driver32=%System%\scam32.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\RunServices

4. It creates the registry key

HKEY_LOCAL_MACHINE\Software\SirCam

with the following values:

• FB1B - Stores the file name of the worm as stored in the Recycled directory.
• FB1BA - Stores the SMTP IP address.
• FB1BB - Stores the email address of the sender.
• FC0 - Stores the number of times the worm has executed.
• FC1 - Stores what appears to be the version number of the worm.
• FD1 - Stores the file name of worm that has been executed, without the suffix.
   

5. The (Default) value of the registry key

HKEY_CLASSES_ROOT\exefile\shell\open\command

is set to

C:\recycled\sirc32.exe "%1" %*"

This enables the worm to execute itself any time that an .exe file is run.

6. The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following:

• Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
• Add the line "@win \recycled\sirc32.exe" to the file <Computer>\Autoexec.bat
• Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe
• Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe
   

7. There is a 1 in 33 chance that the following actions will occur:

• The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
• The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key
  
  HKEY_CURRENT_USER\Software\Microsoft\
  Windows\CurrentVersion\Explorer\
  Shell Folders\Startup
   

8. If this first payload activates, the file C:\recycled\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:

• [SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
  or
• [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
   

9. There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive:

This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats).

10. The worm contains its own SMTP server which is used for the email routine. It obtains email addresses through two different methods:

• It searches the folder that is referred to by the registry key
  
  HKEY_CURRENT_USER\Software\Microsoft\
  Windows\CurrentVersion\Explorer\
  Shell Folders\Startup\Cache
  
  for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %Windows%\sc??.dll (where ? is a random letter and number).
   
• It searches the entire drive for *.wab (all Windows Address Books) and copies addresses from there.
   

11. It searches the folders referred to by the registry keys

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup\Personal

and

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup\Desktop

for files of type .doc, .xls, .zip, and .exe. If it finds a match, the corresponding file will be appended to the worm's original executable and this new file will be sent as the email attachment.

12. After 8000 executions, the worm will stop running.

Removal instructions:

To remove this worm, you must:

• Delete any files detected as W32.Sircam.Worm@mm.
• Empty the Recycle bin to delete Sircam.sys (if it exists).
• Remove the entry that it made to the Autoexec.bat file
• Revert the change that it made to the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command

See the sections that follow for detailed instructions.

NOTE: If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Follow the removal procedure on all computers, including the server. Disable or password protect file sharing before reconnecting computers to the network or to the internet.


To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Sircam.Worm@mm.]

To empty the Recycle Bin:
Right-click on the Recycle Bin and then click Empty Recycle Bin. You can also use Windows Explorer to delete the file C:\recycled\Sircam.sys if it is present.

To edit the Autoexec.bat file:

1. Click Start, and click Run.
2. Type the following, and then click OK.

edit c:\autoexec.bat

The MS-DOS Editor opens.

3. Remove the line "@win \recycled\sirc32.exe" if it is present.
4. Click File and then click Save.
5. Exit the MS-DOS Editor

To edit the registry:
The worm modifies the registry such that an infected file is executed every time that you to run a .exe file. Follow these instructions to fix this.


Copy Regedit.exe to Regedit.com:
 

1. Do one of the following, depending on which operating system you are running:

• Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
• Windows NT/2000 users:

  1. Click Start, and click Run.
  2. Click Browse, and browse to the \Winnt\system32 folder.
  3. Double-click the Command.com file, and then click OK.

1. Type copy regedit.exe regedit.com and press Enter.
2. Type start regedit.com and press Enter.
3. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.
 

1. Navigate to and select the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
Do not modify the HKEY_CLASSES_ROOT\.exe key.
Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:


 

McAffee

McAfee.com - Virus Information Library

F-secure

F-Secure Computer Virus Information Pages Sircam

NAME:	Sircam
ALIAS:	I-Worm.Sircam, W32.Sircam, W32/SircCam

Sircam is a mass mailing worm about 150 kilobytes in size. When run it copies itself to 'c:\recycled\SirC32.exe' and as 'SCam32.exe' to the windows system directory. The 'SirC32.exe' is registered as default startup command for EXE files so it will run whenever an EXE file is run. The 'SCam32.exe' file is registered as a driver that makes sure it will be started when the system boots up.

The worm collects e-mail addresses from Windows Address Book and Temporary Internet Files to a file called 'scw1.dll' in the system directory.

Another file is then created by the worm. It contains a list of files with certain extensions (e.g. with .DOC, .ZIP, .JPG extensions) located in a user's 'My Documents' folder. Since quite often users keep their personal or company-related documents there, it means that the worm can send out confidential information.

Using its own SMTP engine the worm sends messages the addresses it found. One of the document files is selected from the list and appended to the worm's file. This file will be sent with double extension, for example .DOC.EXE, .ZIP.COM, .JPG.PIF, etc.

When a recipient opens this attachment, his system gets infected and then the included document is displayed. This way the worm's activity is disguised.

Messages sent by the worm look like this (english version):

 

 Subject: Document file name (without extension)
 From: [[email protected]]
 To: [[email protected]]

 Hi! How are you?
 I send you this file in order to have your advice
 See you later! Thanks

If language setting on the infected machine is spanish the worm sends a spanish version of the message:

 Subject: Document file name (without extension)
 From: [[email protected]]
 To: [[email protected]]

 Hola como estas ?

 Te mando este archivo para que me des tu punto de vista
 Nos vemos pronto, gracias.

The second sentence is randomly chosen from four variants.

The attached file has the name of the document the worm picked up from infected computer with double extension, for example filename.DOC.EXE, filename.ZIP.COM, filename.JPG.PIF, etc.

The worm can also spread trough Microsoft Network Shares. It checks all the share available to the infected machine. If there is a '\recycled' directory on the share it tries to infect. First copies itself to '\recycled', and tries to replace '\windows\rundll32.exe' with a copy of itself. The original 'rundll32.exe' is renamed to 'run32.exe'. After that an extra line is added to '\autoexec.bat':

'@win \recycled\SirC32.exe'.

Removal instructions:

If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):

ftp://ftp.europe.f-secure.com/anti-virus/tools/sirc_dis.reg

This will remove the worm's reference from the EXE file startup key in the Registry.

Warning! The system might become unusable if the worm's file is deleted without modifying the EXE file startup key first.

After that the system can be safely disinfected with FSAV. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner (F-Prot for DOS for example).

If the workstation was infected trough a network share, the '\windows\run32.exe' file has to be renamed back to '\windows\rundll32.exe' after disinfection. Also the \recycled\SirC32.exe file has to be deleted and extra line in the 'autoexec.bat' should be removed.

[Analysis: Gergely Erdelyi, F-Secure Corp.; July 18th, 2001]

Sophos

Sophos virus analysis W32-Sircam-A

Trend Micro

This Trojan propagates via email using SMTP commands. It sends copies of itself to all addresses listed in an infected user's address book. It arrives in an email with a random subject line, and an attachment by the same name. It has no destructive payload.

Solution:
First, restore your system configurations through the registry. To do this:

1. In the Windows Start Menu, choose Run, type Regedit and then press Enter.
2. On the left panel, follow the path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\RunServices.
3. On the right panel, look for the registry value called Driver32.
4. Click this and press the Delete key.
5. On the left panel, follow the path HKEY_LOCAL_MACHINE\Software\SirCam.
6. Click SirCam and press the Delete key.
7. On the left panel, follow the path HKEY_CLASSES_ROOT\exefile\shell\open\command
8. On the right panel, right-click on the (Default) value, then choose Modify.
9. Change “C:\Recycled\SirC32.exe””%1”%*” to “%1” %*". Remove “C:\Recycled\SirC32.exe”.

It is important that steps 7 to 9 be followed before removing the Trojan file or else no executable file will be able to run. If the Trojan is deleted, REGEDIT is no longer accessible. Please rename regedit.exe to regedit.com then execute regedit. Then just follow the step 1-9.If the Trojan is not yet deleted, you can also use the tool fix_sircam.reg. This will remove the Trojan association from the registry.

Once the association is removed restart your system. Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SIRCAM.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro’s free online virus scanner.

If you need further assistance with this solution, please send an email to [email protected].

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

Details:
The worm arrives as an attachment to the following email:

Subject: (random subject line, with the same name as the attachment)
Message body: (The body could be either in Spanish or English)
Hi! How are you?

I send you this file in order to have your advice OR I hope you can help me with this file that I send OR I hope you like the file that I send you OR This is the file with the information that you ask for

See you later. Thanks

Attachment: (random filename, with the same name as the subject line)
IN SPANISH:

Hola como estas ?

Te mando este archivo para que me des tu punto de vista OR Espero me puedas ayudar con el archivo que te mando OR Espero te guste este archivo que te mando OR Este es el archivo con la informacion que me pediste

Nos vemos pronto, gracias.

The attachment contains a copy of the worm merged with a randomly chosen file from the sender's computer.

Upon execution, this worm copies itself to a SCam32.EXE in the System directory. It then splits merged files in the attachment and drops these to a SIRC32.EXE file and a <Original filename of the merged file> in the C:\Recycled folder.

To execute every bootup, it creates the below registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Driver32 = “C:\Windows\System\Scam32.exe”

It modifies the following registry entry:

HKEY_CLASSES_ROOT\exefile\shell\open\command = “”%1”%*”

to the following, to allow this Trojan to run whenever an .EXE file is executed:

HKEY_CLASSES_ROOT\exefile\shell\open\
command = “”C:\Recycled\SirC32.exe” ”%1”%*”

It also creates the following registry key, where it stores data:

HKEY_LOCAL_MACHINE\Software\SirCam

The below are the data it stores:

• FB1B - Contains the path and filename of the host program.
• FB1BA - Contains a URL to one of the mail (SMTP) server it uses.
• FB1BB - Contains an email address.
• FC0 - Contains the number of times, the worm file executed.
• FD1 - Contains the name of the worm with the extension.
• FD5 - Contains another URL to a mail (SMTP) server.

Central Command

Manually removing a infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by a infection.


Details:
---------
Name: I-Worm.Sircam.A
Aliases: W32.Sircam.Worm@mm, W32/SirCam@mm
Type: Internet Worm (mass mailer)
Risk: Medium


Description:
--------------
I-Worm.Sircam.A is an Internet worm that is spreading itself through e-mail.

The worm arrives through e-mail in the following format:

Subject: (The subject line will be random)
Body: Hi! How are you?
See you later. Thanks
Attachment: (Same as Subject: line + containing a double extension, ie. COM.EXE)

*Note: It might be possible that it will contain additional text in the body of the message between the two lines listed above

When the user opens the attachment, the worm adds the following keys into the registry:

1.) HKCR\exefile\shell\open\command\Default = "c:\recycled\SirC32.exe" "%1" %*"
2.) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32 = c:\windows\system\SCam32.exe

The first registry key enables the worm to copy the SirC32.exe file to the folder C:\Recycled\ which allows the worm to run after each *.exe file is executed. The second key stores the filename Scam32.exe into the C:\Windows\System folder, which allows the worm to execute automatically.

I-Worm.Sircam.A also uses its own special SMTP routine to send unsolicited email messages to those addresses obtained from a search within the Windows address book, as well as, from the users Temporary Internet folder.

If the virus happens to find a network shared directories, it will try to copy itself into the local Windows directory under the name rundll32.exe. The original file is renamed as run32.exe. If the worm succeeds, it will modify the autoexec.bat file by introducing a new line which will allow it to execute the file previously saved in the Windows directory.

As a “signature” the author added the following strings in the virus in an encrypted form:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]


*There is also a duplicate of this worm in the Spanish language.

The body format of the Spanish e-mail message would contain the lines:
Hola coma estas ?
Nos vemos pronto, gracias


Removal Instructions:
---------------------
Step 1.) Delete all files being detected as I-Worm.Sircam.A, make sure that you also empty the Recycling bin as well

Step 2.) Make the needed modifications to the registry. Run the registry editor, this can be done by clicking the Windows Start button and selecting “Run”. Within the pop-up box type in “regedit”

Then, locate and the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices and delete the key Driver32 (which contains the value “%windows-system%\Scam32.exe”).

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)
HKEY_LOCAL_MACHINE \Software\Classes\exefile\shell\open\command\(default)
This key should be changed to the value ""%1"%*"

HKEY_LOCAL_MACHINE \Software\SirCam should be entirely deleted (all values contained within).

You can now close the registry.

Step 3.) Restart your computer.

Step 4.) Go back to the Windows Start button and select “Run”.again. This time type the word “command” and press enter. In the command prompt window type the following lines:

C:\> cd Recycled (hit enter)
C:\>Recycled> attrib –h sirc32.exe (hit enter)
C:\>Recycled> del sirc32.exe (hit enter)
C:\>Recycled> cd .. (hit enter)
C:\> cd Windows (hit enter)
C:\Windows\> attrib –h scam32.exe (hit enter)
C:\Windows\> del scam32.exe (type Exit)

To disinfect a networked computer infection, on the infected machine the file \windows\run32.exe should be renamed over the \windows\rundll32.exe (if they exist). Also, from the file autoexec.bat the following line must be deleted:
@win \Recycled\SirC32.exe and the file \Recycled\SirC32.exe should also be deleted

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019