Disinfect information for owners of virus-infected machines
http://www.itc.virginia.edu/desktop/vdisconnect/

Abuse-Virus Log
http://www.itc.virginia.edu/~upostmst/abuseVirus/

Virus Hot Topics
http://www.itc.virginia.edu/desktop/virus/

Arin Whois
www.arin.net/tools/whois_help.html

Examine the original message headers of a failed mail notice, or the headers provided (if any) in a report about an infected machine, to determine if that message originated within U.Va. or outside of U.Va. and whether or not the probable owner of the infected machine can be identified.

Process for U.Va. virus-infected machines:

• Virus messages addressed to postmaster@virginia.edu
  
  
• Disconnects
  
  
• Reconnects

Process for non-U.Va. virus-infected machines:

• When an infected [failed mail] message is received from a non-U.Va. account or IP or a report is made regarding a virus-infected message from a non-UVa IP.
  

Process for U.Va. ID connecting through third-party ISP

• When an infected message is received from a U.Va. account connected through a third-party ISP.

Other virus details/info

Many virus-infected messages will be received as failed mail messages in the Postmaster Inbox. Please forward these messages to uabuse@virginia.edu.

Some of these will have tale-tale characteristics of known viri in the subject line, message body, or attachment names and extensions. Some will be more difficult to discern and may need to be forwarded to Richard Berdel (berdel@virginia.edu) to test the attachment for viri.

Note: write to Richard first letting him know that you would like to forward an attachment to him for virus detection.

It may be beneficial to read new virus alerts when they come out to acquaint yourself with the characteristics of new viruses as they may appear in a message.

Some messages will come to us as reports of an infection or suspicious activity from individuals or outside entities to postmaster@virginia.edu or abuse@virginia.edu.

As of 1/8/03, the Lead-Abuse person will log and respond to all virus-related messages.

Search the Abuse-Virus Log and/or the 2002 Abuse Log and/or the 2001-02 Virus Log for a previous report involving the IP or ID reported.

To better measure Abuse workload and number of incident reports we are receiving and handling,

1. All unique reports/messages involving an IP address should be entered as separate entries in the log.
2. Only one log entry should be used to track contact, disconnect, and reconnect dates. Add a note to the top of the Comments field for additional entries involving an IP address indicating which log number is being used to track an incident, such as "TRACKED UNDER 03010001".

For new virus log entries that include an owner ID, or where we have previously identified an owner for a given IP address,

1. Enter the new entry into the Abuse-Virus log and categorize as "virus",
2. Fill in the other fields for the record as available.
3. Paste the relevant Received: from message headers into the Comments field,
4. If the owner has not been previously contacted regarding a new incident, copy and paste the disinfect message and send to the person who has been identified as having a virus-infected machine, modifying as needed.
5. Include your signature.
6. Copy: vassist@virginia.edu.
7. Send the message.

For new virus log entries where an owner ID has not yet been identified,

1. Enter the new entry into the Abuse-Virus log and categorize as "virus",
2. Fill in the other fields for the log record as available.
   
   If an IP address is not entered, the application will not generate a message to vassist for an ID, fyi.
   
   
3. Paste the relevant Received: from virus-message headers (or pertinent log data) into the Comments field and Add the record.
4. You will be prompted to click the Send Request button to generate a message (that includes the LogNumber and data in the IP address and Comments fields) to vassist@virginia.edu requesting an owner ID.
   
   If you choose not to use this option, you can always compose your own message to vassist later.
   
   
5. Update the log entry with an owner ID when one has been provided from vassist.
6. Copy and paste the generated disinfect message and send to the person who has been identified as having a virus-infected machine, modifying the content of the message as appropriate for the recipient.
7. Include your signature.
8. Copy: vassist@virginia.edu.
9. Send the message.

Respond to a person reporting a virus with one of the following auto-messages, as seems appropriate:

• virus/thanks
• res/virus.headers
• res/virus.noheaders

Modify the message (if needed), include your signature, and send the message.

Save the message/report and related correspondence to abuse/yymm/mbox.dd.

When a virus report is addressed or a virus failed mail arrives to postmaster@virginia.edu ...

As of 1/8/03, Lead-Abuse will log and respond to all virus reports/activity, even when a report is addressed to postmaster@virginia.edu.

Postmaster should forward virus messages to uabuse@virginia.edu for processing.

When the owner of an infected computer is identified as a U.Va. ID and the machine is connected to the internet via a third-party ISP...

1. Compose a message to the owner of the machine and include the text from virus/uva.isp.
2. Edit the message to include the Date, Time and IP Address from the virus-generated message.
3. Copy vassist@virginia.edu.
4. Sign and send the message.
5. Follow the steps found for Process for non-UVa Infections below.
6. Save the message and related correspondence to abuse/yymm/mbox.dd.

The Abuse-Virus Log program will auto-generate a report to uabuse@virginia.edu (and postmaster@virginia.edu) each morning around 8:30 a.m. indicating which machines in the database (with associated logNumbers) are due for disconnection.

The listed items in the report should be the same as those appearing on the Contacted page in the Abuse-Virus Log.

1. Lead-Abuse should verify the entries in the report and send a message to vassist@virginia.edu requesting that Networks block the machine(s) in the report.
   
   *Please check the Contacted page in the Abuse-Virus log to review the comments for these cases to see if any items listed in the report should NOT be forwarded to vassist and remove these items from the list that is sent to vassist for disconnection.
   
   Important: the logNumber entries appearing on the Contacted page are the ones that should be updated with disconnect and/or resolution dates to avoid duplication of records for the same IP/situation in the disconnect table of the database!
   
   **Sometimes it is helpful to check Remedy to see if any of the owner IDs in the report have an existing case for the reported problem that is marked as Resolved. If so, these items should probably be removed from the list that is sent to vassist, as well. Some followup with the owner or Help Desk staff may be needed to confirm that the infected computer has indeed been secured. In these cases, Lead-Abuse should find the associated log entry on the Contacted page and enter a Resolution date for that record.
   
   
2. Include as the Subject: ABUSE-VIRUS BLOCK(S) NEEDED (or something to that effect).
3. When Networks blocks the machine(s), they will enter the current date into the Disconnect field of the Abuse-Virus Log.
4. This action will generate two automated messages to a) the Help Desk and vassist@virginia.edu and b) the owner/contact (if available) that the machine has been disconnected from the network pending disinfection.
5. Save the auto-generated report and related correspondence to abuse/yymm/mbox.dd and delete from the Inbox.

If Networks complains that there are too many blocks in place, the Lead-Abuse person on duty should write to abuse@virginia.edu to inquire as to how best to address the problem.

Disconnected machine process:

If a machine has been disconnected, a record for it will appear in the Disconnects page of the Abuse-Virus log showing a current disconnection.

When we receive a report from the owner of the infected machine, or from the Help Desk on behalf of the owner of the machine, that the machine has been disinfected and security measures have been implemented:

1. Send a message to vassist@virginia.edu notifying them that the machine may be reconnected. Be sure to provide the Log Number under which a given situation is being Tracked so that the "right" record will be updated! This can be determined by checking the Disconnects page.
2. When Networks unblocks the machine(s), they will enter the current date into the Resolution field of the Abuse-Virus Log.
3. This action will generate two automated messages to a) the Help Desk and vassist@virginia.edu and b) the owner/contact that the machine has been reconnected.

Not-disconnected machine process:

If an owner/contact has been notified about a problem with their machine and it has not yet been disconnected, a "contact" record should be listed in the Contacted page of the Abuse-Virus log.

1. When an owner/contact person responds that they have disinfected and/or secured their machine, update the associated record found on the Contacted page to enter a Resolution date for that record.

Identify the name or IP of the ISP in the Received from: line in the headers of the infected message .

example header: Received from: <snip> (user144.net059.va.sprint-hsd.net [208.33.157.144]) <snip>
In this example the ISP is sprint, whose contact is abuse@earthlink.net.

New not-uva process (as of 1/8/03)

If full headers are available in the virus-generated message/report:

1. Lookup the contact information for the ISP responsible for the IP address found in the virus-infected message using:
   1. Arin
   2. Help and Contact Info section of this Guide, or
   3. nslookup from a unix prompt (commands you type are in bold):

      $ nslookup
      > set q=any
      > server name (for example, atgi.net)

2. Enter the report into the Abuse-Virus log. Be sure to:
   1. categorize the new record as "virus-notUVa",
   2. enter the IP address (or server name if no IP address is listed) found in the Received: from line of the virus-generated message,
      
      If no IP address or originating servername header is included, an auto-message will not be generated.
      
      
   3. if the message is addressed to postmaster or abuse (i.e. not reported by an individual), enter uabuse as the reporter in the Reported by field.
3. Enter the ISP contact address in the web form that appears after adding the new record to the log.
4. Paste the virus-generated full message headers into the Message Header field of the web form.
5. Click Send Mail to generate a virus-notification message to the ISP contact address. A copy of the message will also be sent to uabuse and postmaster.
6. Save the message to abuse/yymm/mbox.dd and delete from the Inbox.

If full headers are not provided in a virus report, but the message is believed to originate outside of UVa:

1. Enter the report into the Abuse-Virus log and categorize as "virus-notUVa",
2. Respond to the reporter with the message: res/virus.noheaders.
   
3. Save the message to abuse/yymm/mbox.dd and delete from the Inbox.

The person covering Postmaster will be the first backup for Lead-Abuse in handling an overload of virus message processing.

If Lead-Abuse is also covering Postmaster and needs assistance processing virus messages, send a message to itc-pstmst@virginia.edu requesting a volunteer to help process virus messages.