Thanks Leonard.. u r so....... cool.... ;-)))
-----Original Message-----
From: Leonard Lee [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 8:44 AM
To: NT 2000 Discussions
Subject: RE: Affected by Virus
If you like that two liner, then you'll probably like the full blown
version. I wrote it up while consulting for a bank. They got hit by the
orginal ExploreZip virus. I responded to it in much the same manner as
outlined below. The VP was impressed enought for me to have to write it out
and the IT team adopt it as their plan of action on responding to Virus
incidents.
I wrote it in such a way that you can use it as a check list. The idea here
is that under an attack, you don't have much time to think. In these
situation it would be nice to have a list such as below...you just go thru
it sequentially...and assign items to other network adminstrators.
Any additions, improvements...please repost...as there is always ways to
improve plans.
Enjoy, and hope it will help in your response to your next virus incident.
-------------
Proposed action item check list for the handling of virus incidents.
1. Determine the nature of the infection:
* Ordinary Virus, Macro Virus, Worm, Trojan Horse
* How did we get infected: Email attachment, Workstation or Server, etc.
* Determine how serious this is by the number of people which will be
affected. Any attack which propogates itself rapidly through the company
systems, whether debilitating or not, should be classified as serious.
2. Inform Management on the nature of infection: {list of names here}
* One person will inform management
* Another person will continue the job of virus infection analysis and
containment
* In any serious attack, the users must be notified at the earliest possible
opportunity. If the Help Desk is present, this notice should go out through
them. If this is at a time when the Help desk is not present, this
notification should go out from the Network Administration group. The notice
should inform users:
* That we are under attack
* How to identify the attack
* Whether the attack will cause damage
* What facilities will not be available during the attack, and clean up.
* What they should do.
* Who they should call if they need more information, or we need
information from them.
3. Determine the extent of infection
* Approximate time of introduction to the system
* Which systems are infected
4. Develop containment Plan of Action
* How do we disable the infection
* How do we contain the infection
* How do we remove the infection
5. Contain the Virus
* Isolate infected system from network
6. Update management with the following details:
* Nature of the infection (more detail than 1st report)
* Extend of the infection
* Infrastructure impact
* Services Unavailable
* ETA for service resumption
* Advise Help desk manager on handling client issues that will arise from
this incident.
Lastly, a few pointers:
And remember...do not panic. Keep a cool head.
Get a team member's help asap and take 2 - 3 minutes to think things through
initially.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Carine Lim,
Sr.SystEng, SCSM/NSB
Sent: Wednesday, March 20, 2002 7:04 PM
To: NT 2000 Discussions
Subject: RE: Affected by Virus
Thank you guys....... Martin Blackstones solution did help...... Leonard
suggestion very good too...
Thanks again..
Cheers
Carine
-----Original Message-----
From: Leonard Lee [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 20, 2002 9:02 PM
To: NT 2000 Discussions
Subject: RE: Affected by Virus
1. Isolate the infected systems from the production network. Ie. unplug
them from the network.
2. Clean the virus via installing antivirus software or scan the system via
another workstation with antivirus software installed.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Carine Lim,
Sr.SystEng, SCSM/NSB
Sent: Tuesday, March 19, 2002 10:27 PM
To: NT 2000 Discussions
Subject: Affected by Virus
Dear Everyone,
One of my Windows 2000 server (terminal server was installed too) is
affected by virus. The virus is 32.funlove.4099 and I think others worm
virus also affected. The thing is this server does not install any antivirus
program. So.. may I know what is the best way to remove the virus and then I
can install the norton antivirus into it.. Please help..............
TIA
Carine
************************************************************************
Safeguard your company with cost-effective disaster recovery
services. Find out more at :-
http://www.scs.com.my/memComInfo.shtml#crc
************************************************************************
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
************************************************************************
Safeguard your company with cost-effective disaster recovery
services. Find out more at :-
http://www.scs.com.my/memComInfo.shtml#crc
************************************************************************
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to %%email.unsub%%
************************************************************************
Safeguard your company with cost-effective disaster recovery
services. Find out more at :-
http://www.scs.com.my/memComInfo.shtml#crc
************************************************************************
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
