Tuesday, August 10, 2004

Virus fun

Yesterday, our users started getting e-mails with a subject line of "price". This, of course, was a new virus: Trojan.StartPage.G. But, since I work for a bank, a lot of users could conceivably receive an e-mail for a price on something with an attachment.

If they practiced safe computing and deleted the e-mails that came without human-speak in the body of the message, it wouldn't be a big deal but, like many users, the previous e-mails from Customer Outreach advising them of this technique went unread and people opened them.

One saving grace is that The Bank uses Lotus Notes for their e-mail. In my five years of watching viruses coming through our e-mail program I have never seen one successfully hijack the Notes Address Book. Microsoft Outlook might spread it's legs wide and say "Rape me with your trojans and worms" but, so far, Notes has been resistant.

Of course, we still get an increasing call volume at the Help Desk from users who tried to open the attachment. Their machines are still infected. I have to open a ticket to send to Second Level Support.

About an hour into yesterday's virus festivities, I got a call from K** in Notes Support. She was letting us know there was a problem. "Of course we know. We're the first to find out when users do things they shouldn't." She speculated that the virus was hijacking the user's personal address book and I said that I doubted it. She looked at the header information for a number of e-mails and they all said VWALL, which meant it was all coming from outside. Customer Outreach was being informed and they would be sending an e-mail out to all users warning them not to open the previous infected e-mail. Of course, this was going to be a futile exercise because by the time the user reads the message saying "Don't pen the previous 'price' e-mail", they have already opened said e-mail and infected their PC.

But this was occurring near the end of the day so not only was it time for me to go home but most of the user's had gone home as well. The real joy was going to be Tuesday morning.

There was a queue as soon as I logged into the phone with all the expected virus issues. Again, because Notes wasn't propagating this virus, it wasn't as bad as it could have been but, as with all our previous virus days, we started running into an additional problem: definitions.

The Bank has its system set up to automatically update the user's virus definitions when they become available. User's don't even have to go through the server's login script.

At least, that's how it's supposed to work.

As with every virus outbreak we've had, troubleshooting reveals that a number of PCs do not get their definitions updated as they should. So far today I have opened over a dozen tickets for user's who not only opened the e-mail and infected their machine but their definitions hadn't been updating as they should. Some for as long as a year and a half (when their machines were installed). Technical Services has a website that users can access to download the latest definitions and update them manually but "page cannot be displayed" message were accompanying that attempt.

Open a ticket for Second Level support to go on site and not only update the definitions, disinfect the machine but also find out why the PC hadn't been getting the latest definitions in over a year.

It's a good thing Notes is as resistant as it is.

As of noon I have taken 42 calls, which is about the number I get on a normal day. 3.5 hours to go.

Oh, and another thing. . . .

Most of this is somewhat "normal". What one would expect with a virus issue. What I didn't like to deal with was receiving a message from the Help Desk Managers saying: "Try to refrain from using 'virus' in the tickets." So, what's really going on is an effort to skew the documentation of the events away from it being an actual virus issue. As if not using the word "virus" will make it not a virus issue.

"Also, if anyone asks for any information about what is being done or how wide spread the issue is, politely explain to them that support is working on theissue and will probably provide an update at a later time."

So, here Management is specifically telling us to obsfucate and dodge the user's direct questions. To essentially lie.

Sorry, guys. I'm not going to lie to these people. When they have been waiting on hold for 15 minutes and CNN is reporting a widespread virus issue, most user's are smart enough to put two and two together.

No comments: