Recovery

A virus infection can have a massive effect on your business. Recent infections (including the notorious NIMDA, 'I Love You', Code Red and BugBear viruses) have cost millions of pounds to manage.

Use this section to find out:

• What are the signs of a virus infection?
• 5 Steps to Recovery

What are the signs of a virus infection?

Before any recovery process can begin, you need to recognise that a virus infection has occurred.

There are some basic signs to look out for. Some viruses are very obvious, to the extent that they actually tell you they've infected your machine. Others are much more subtle in their approach.

Some of the most common signs are detailed below. If you notice any of these on your system, don't panic! Many signs can have other causes. They should not be regarded as definitive proof of infection, but as a warning that further checks should be made.

Some common signs of a virus infection include:

• Your system slows down. This can be especially noticeable if your machine is connected to a network
• You see activity on your machine that you did not cause. For example, a disc drive light may flash unexpectedly
• If you are running an internal e-mail server, you may find that this becomes overloaded or slows down
• Data files become corrupt or go missing. Sometimes, popular programs such as Microsoft Word or Excel will display a message advising that your file is not in the correct format
• Unexpected changes in the content of your files

If you suspect you have a virus....

Use your virus defence software to diagnose the problem and ascertain what your system has been infected by. If necessary, contact your software vendor for hands-on advice. If you do have a virus, stay calm and start the recovery process

5 Steps to Recovery

If a virus has infected your system, there are five basic steps for recovery:

1  Tell everyone who needs to know
2  Eradicate the virus
3  Organise a clean-up operation
4  Make sure there are no re-infections
5  Manage outgoing e-mail traffic during the crisis

Step 1: Tell everyone who needs to know

If the virus is spread through e-mail, tell everyone who has ane-mail account on the infected system about it as quickly as you can. Use all methods available to inform people about the problem. For example:

• Put warning posters on all entrances and exits to company offices in the event of an attack
• Send out SMS messages to staff mobile phones

The above methods are especially useful if the initial attack has happened overnight, as e-mail users may open the malicious e-mail before opening any warning sent by e-mail!

• Send an e-mail to everyone on the system. If there is a specific file attachment that contains the malicious virus program, name it, and be very clear that opening the file could have drastic consequences

Step 2: Eradicate the Virus

Having done all that you can to warn everyone about the virus, you need to remove it as soon as possible.

1  Before you do anything else:
 - Disconnect your computer from any networks
 - Disconnect any modems
 - Disconnect any other external connections

2  Use your virus defence software to scan all discs and files on the computer. Check any resulting reports with care. Remember to scan all discs that have been in contact with your computer

3  If your virus defence software is out of date or non-existent, a whole host of fixes and patches are available from the Internet. A basic search on the virus name will usually serve as a good starting point to track them downIf you are prevented from running your virus defence software because of the virus infection, use an alternative method such as running from the installation discs or CD

4  Contact your virus defence software supplier either by telephone or the Internet, for specific advice on the virus. Follow instructions to the letter and if in doubt, ask!

5  If the disinfection fails, contact your virus defence software supplier. They may request sample files for analysis, and be able to offer further advice.

Step 3: Organise a clean-up operation

Any clean-up operation should be planned and systematic:

• Contain the spread of the virus by quarantining infected machines or systems from the rest of the network
• Do not reconnect machines to the network until the virus is cleared
• Do not reconnect your network to external systems until the virus is cleared
• If possible, check virus bulletin boards from virus defence software vendors. They often post quick fixes, or fix pending notices
• When the relevant fix is available, run it on all infected machines
• Check that the virus has not spread to servers - if it has, clean these
• If possible, clean all other desktop workstations. Symptoms are not always immediately obvious so even if a machine is not displaying signs of the virus, you should still clean it

Following these steps should clean the entire network of the virus, and minimise the possibility of infecting other systems.

Step 4: Make sure there are no re-infections

Make sure that everybody knows:

• What to do
• What not to do

Maintain emergency security measures until:

• The clean-up is complete
• Additional patches are in place to prevent infection

Take stock:

• Ensure that the latest virus definitions and software patches are implemented throughout the system
• Install these definitions and patches manually on all infected computers

Step 5: Manage outgoing e-mail traffic during the crisis

Use whatever facilities you have to prevent transfer of the virus via e-mail. There is always a danger of this happening accidentally, but it can also be done maliciously.You might even consider closing down the outgoing mail service.