An interview with Johnny Cheng, one of Yui Kee's Anti-Virus Experts about a typical on-site support case.
Yui Kee Newsletter (YKN): What sort of company was this?
Johnny Cheng (JC): They are an electrical products manufacturing company, with a small office in Hong Kong (about 19 workstations and 3 servers) and a larger site in China.
YKN: Why did they need the service?
JC: They did not have any IT staff in Hong Kong. They were using a general Systems Integrator for IT support, but the SI was not up-to-speed on viruses. The company wanted a more professional service.
YKN: How did the situation develop?
JC: The Company started getting complaints from their worldwide customers that they were sending infected email. They called the SI for help and the SI cleaned up the server. However, the infections did not stop. They installed a scanner on their Exchange Server, and found a lot of W32/Badtrans.B. Really, the SI was unable to deal with the overall problem.
YKN: What viruses and worms were there?
JC: Quite a lot: W95/CIH.1002, W32/QAZ, W32/Hybris, W32/Magistr.A@mm, W32/Sircam@mm, W32/Klez@mm, W95/Elkerm, W32/Nimda.A, W32/Badtrans.B@mm and W97M/Class.
YKN: Why was their Anti-Virus Software not effective?
JC: Most machines had (a major AV brand) installed standalone, so that each user had to manually click for updates. One machine, which was a shared machine with a printer and OCR scanner attached, had that software installed, but it was not active. No one took care of that machine or had responsibility for it - it had the most viruses on it and it was probably the major route for spreading the viruses through the office. Another machine had a really old copy of (another major AV brand) installed, which had never been updated.
The anti-virus software was not faulty, but it will not provide good protection is it is not installed properly, and if it is never updated.
YKN: What about CIH, isn't that very destructive?
JC: Yes, on the 26th June, CIH overwrites part of the hard disk and tries to wipe the flash BIOS, causing serious data loss and a possible trip to the vendor for repair. That was on the shared machine, but it was just in a few files and not in memory. It would not activate and destroy anything as it was, but it would be an easy mistake for someone to click on it, allowing it to activate later. Someone could do that on another machine, across the network, if the applications are shared.
YKN: And Nimda?
JC: Nimda is a difficult one because it has multiple spreading mechanisms. The company had recently installed a Windows 2000 Server, but had not installed the security patches for IIS. They were OK for a week, and then Nimda infected the server.
YKN: What was the result of your service?
JC: First, I cleaned up all the viruses. In this sort of situation, where there is widespread infection, it is safest to scan all files. This is quite time-consuming, typically an hour per machine, although many machines can be scanned in parallel. Next, I updated, or installed, where necessary, the anti-virus software, making sure it was set for daily, scheduled updates of the virus definitions. Now, they all get updated automatically, during lunchtime. Overall, it took 8 hours, including solving some other minor problems the staff reported, such as intermittent hangs and printing problems.
YKN: What next?
JC: Now that their immediate problem is fixed, they are asking how they can be better protected in future. They need a better infrastructure and efficiency could be improved. At the moment, each machine is getting the updates from the vendor's site independently. It would be better to download the update once, and distribute that internally, but I didn't have time to set that up. A managed service, such as YKScan, would be very suitable for them - they do not have the IT staff on site, so it is better to outsource the protection, where possible. Of course, the anti-virus software on their workstations and servers is still their final line of defence.
In their situation, this on-site service was necessary, but it is better and cheaper if the whole problem can be avoided in future by having the proper protection in place.