back to article IT guy checks to see if PC is virus-free, with virus-ridden USB stick

Welcome again to On-Call, our weekly therapy session for readers who need to share terrible memories of jobs gone horribly, horribly, wrong. This week, meet “Dirk” who we imagine is carrying quite an emotional load because he's witnessed some horrors created by truly dull-witted users. Take, for example, the crew his IT team …

  1. Dr Scrum Master
    Mushroom

    Dirk works at an Iranian nuclear lab?

    1. Floydian Slip
      Coat

      Does Dirk wear white sox?

      Shameless 70's reference to Adam and the Ants - https://www.youtube.com/watch?v=_cGGiEo3qAc

      It's on the 7" single in my pocket

  2. Anonymous South African Coward Bronze badge

    Ahh, cryptolocker.

    Had an user once whose son managed to infect her laptop. Then tried to clean it up, and made it only worse.

    Over a weekend.

    Come monday, said user arrived at work, and despite the clear warning on her laptop's monitor (encrypted files, ransom etc etc) she plugged her laptop into the LAN.

    Luckily I enforced some rigorous security practices (such as segregation of data between departments) so her department was the only one affected.

    A quick delete and restore, and her department's data was restored. Not so her laptop. I tried to uninstall/remove crytpolocker, then decided to toss the whole hard drive, get a new one and install Windows from scratch rather.

    1. Solarflare

      Any point in hoping that she got any sort of disciplinary or even a talking to?

      1. Anonymous Coward
        Anonymous Coward

        Punishment? Yeah, right!

        What happens in some places if

        (1) A manager is stupid enough to get themselves deliberately infected with malware, or

        (2) A manager demands admin rights on his laptop, turns off all security (including passwords) and prompt loses it?

        If you said "They get fired", I'd like to know what drugs you're on.

        If you said "They get a bollocking", I'd like to know how many units of alcohol you consume per day.

        If you said "They just get a shiny new laptop", I'll sympathise with you.

        1. Anonymous Custard
          Trollface

          Re: Punishment? Yeah, right!

          Or if you said "They get promoted so that there's someone below them who can filter out the worst of their idiocy and it takes them away from dealing with customers" then you're obviously a colleague of mine...

        2. Anonymous Coward
          Anonymous Coward

          Re: Punishment? Yeah, right!

          "If you said "They get a bollocking", I'd like to know how many units of alcohol you consume per day."

          At that point 1 unit, however I found this to be a very career limiting manoeuvre (even though said user, took company data home on a usb stick, worked on company data on a machine with no AV, demanded the USB stick be unblocked after the AV had a panic and spammed us).

          Anon for obvious reasons

    2. lansalot

      seriously??

      you tossed the whole drive?

      Back to school for you !

      1. herman

        Re: seriously??

        Hmm, should have sold the infected disk on Ebay...

      2. Anonymous Coward
        Anonymous Coward

        Re: seriously??

        "you tossed the whole drive? Back to school for you !"

        I might do the same if things were proving troublesome. Drives are cheap, my time isn't.

        1. P. Lee

          Re: seriously??

          PXE-boot lan segment to re-image? Surely faster than replacing the drive?

      3. Ilsa Loving

        Re: seriously??

        If the malware in question hid itself in the boot sector somehow and you couldn't tell for absolute certain that you got rid of it, it's not necessarily a bad option. Hard drives cost peanuts compared to the time spent by people.

        1. Kiwi
          Linux

          Re: seriously??

          If the malware in question hid itself in the boot sector somehow and you couldn't tell for absolute certain that you got rid of it, it's not necessarily a bad option. Hard drives cost peanuts compared to the time spent by people.

          Must be great to work in a massive coporate with a ton of spare IT cash.

          For many SMBs, HD's are quite expensive still - at least here in NZ (where you're looking at $NZ80-100 for a cheap 1Tb laptop drive, maybe under $150 for a 2tb Desktop (I don't have the spare funds for drive space atm so not looking at prices).

          Is there any way a virus could survive creating a new partition table on the drive? (assuming of course you're using a *nix machine or suitable boot disk). Takes seconds to create a new partition layout.

          1. the hatter

            Re: seriously??

            And how does that NZ$80-120 compare to your hourly rate, given that trying to disinfect and verify it's gone is something you can spend a long time on ? Even in a small company if you can show the person with the chequebook that it's clearly saving money, they should either scare up the cash, or you should look to find somewhere who will be able to pay the next payroll.

            Also, yes, the possibility of the drive firmware being tampered with by a virus is now non-zero, so nothing you do through the SATA interface can be trusted absolutely, including reflashing the drive's firmware.

            1. Kiwi

              Re: seriously??

              And how does that NZ$80-120 compare to your hourly rate, given that trying to disinfect and verify it's gone is something you can spend a long time on ?

              Since you're going to be re-imaging the machine anyway, the time is actually nil. It takes moments to re-write the partition table, and unless you wish to go to the effort of running recovery tools, creating a new table effectively wipes all data on the drive.

              Even in a small company if you can show the person with the chequebook that it's clearly saving money, they should either scare up the cash, or you should look to find somewhere who will be able to pay the next payroll.

              Seems you picked an appropriate name, since you seem to be quite mad. Do you know what "SMB" is? Well, most commonly they're <u>SMALL</u> businesses of 1-5 people, though I'm not sure what qualifies as "medium". As such, they often have only one person involved anyway. How is that person going to complain to whoever handles the payroll, stand in front of a mirror?

              As to quitting a perfectly good job because they won't buy a new HDD when the old is perfectly OK, do you not know what the job markets are like for most of the world especially IT these days?

              You might need to spend some time elsewhere - like in the real world for example - before you speak to much on such subjects.

              Also, yes, the possibility of the drive firmware being tampered with by a virus is now non-zero, so nothing you do through the SATA interface can be trusted absolutely, including reflashing the drive's firmware.

              Given that, and your statement that the drive should be replaced because you cannot trust it once it's had an infection, how often do you think we should replace the drives? Hourly? Every 10 minutes? As soon as they're flashed they're untrustworthy? Because there's no way of knowing if a drive is OK after all. Maybe the manufacturer has an as-yet undiscovered issue. Maybe there's something somewhere else on my network that I haven't yet spotted (I don't have the time to be hunting it and as you say I cannot be sure even when I really am sure)? Maybe someone infected a HDD at MS and their updates are now malware [no comments on the obvious redundancy!]? Maybe some new (or old) driveby in a popular website that is yet undetected - perhaps just reading this comment you've stumbled on a drive-by infecting El Reg that has now infected your drive's firmware. Better replace it just in case.

              Or is my over-stressed coffee-lacking day taking it's toll on me today?

          2. Dajve_Bloke
            Pint

            Re: seriously??

            If you're looking at putting terabyte drives in laptops or desktops I would respectfully say you're doing it wrong. The amount of storage in a local machine should be big enough for the OS, and a few spare gig for when the user can't be connected to the mothership and needs to bugger about on some word docs and administrivia.

            Give the users multi tera locally and they'll fill it with stuff, that isn't properly backed up and you're only storing up problems for yourself.

            Have yourself a netBeer anyway, it's a long fucking way until POETS day.

    3. Baldy50

      True!

      A cleanup job on a PC can take way longer than a re-install, it's the gazillion of updates you know the useless user ain't going to do after sorting the machine out that P's me right off.

      Noticed updates are far more frequent than ever now! Ubuntu base and pretty much anything installed, even progs not even on the approved repository.

      OK, it might slow your machine down for a bit but, you guys/gals know the score, do the updates as soon as possible, they just keep on clicking 'Later'.

      Dban it? Toss the drive! Only if it was a needed upgrade, size/speed etc, a friend couldn't believe it when I just snapped the drive platter in front of him, thought they were metal.

      1. big_D Silver badge

        Re: True! @Baldy50

        We use standard images. A new PC is up and running (with all standard software installed) and fully patched in an hour or so. The images are re-done every few months, so that only a handful of patches need to be applied, once the image has been copied onto the PC.

        The old HD goes in the cupboard and waits to see if a decrypter tool becomes available at some point.

    4. d3vy

      " then decided to toss the whole hard drive, get a new one and install Windows from scratch rather."

      Just the hard drive? You should have incinerated the whole laptop just to be sure...

      1. Anonymous Coward
        Anonymous Coward

        Prefer Exterminatus myself. That stuff can be nasty...

    5. Anonymous Coward
      Anonymous Coward

      At one IT company, the directors had their own NAS, IT wasn't allowed any access and it wasn't allowed in the backup process, because the admins might be able to see what data was on the NAS through the backups.

      Paranoia? You bet!

      So, one director accidentally clicks on a cryptolocker email... Luckily all of the production drives were intact, but it gobbled his hard drive and the directors only NAS...

      1. RAMChYLD
        WTF?

        > Paranoia? You bet!

        More than that, it sounds shady.

        You sure said director isn't embezzling money or selling company secrets? Personal equipment like that shouldn't be allowed on company network.

  3. macjules

    Let me guess ..

    He works for TalkTalk? Or possibly Sports Direct?

    1. Dabooka

      Re: Let me guess ..

      Tesco Bank? Yahoo?

      Keep 'em coming folks!

      1. Triggerfish

        Re: Let me guess ..

        Might as well just link to companies house companies list. :D

  4. GlenP Silver badge

    Not work but...

    I acquired a less than year old decent Dell laptop from a friend. He'd managed to acquire malware, then the people he took it to managed to add plenty more. He gave up, bought a new one and I got the old one. It still took me nearly a day to actually get to the point where I could wipe and low level format the HD (prices as they are now I'd just trash it, they weren't so cheap then). Fortunately no networks were involved but if he'd talked to me first I could have saved him a lot of money. The laptop did a couple of years service for me then a few more for another friend!

    1. foxyshadis

      Re: Not work but...

      Once you see how bad it is, it's a lot easier to just boot it up with a usb/cd of the new OS, clear partitions, and start fresh. Fighting for control is a lost cause.

      1. rhydian

        Re: Not work but...

        Back in my younger days I'd always try and "rescue" a near-dead Windows install rather than nuke from orbit, but these days unless there's some vital software where the user doesn't have the install media or licence keys any more its a case of erase and rebuild. The only offputting issue is the number of windows updates a new PC needs...

        1. psychonaut

          Re: Not work but...

          image takes 7 minutes via a usb 3 caddy, netowrk a little longer . nuke it from orbit. quicker and safer

        2. jason 7

          Re: Not work but...

          Yeah rebuild from scratch is the best option but as you say, so many customers have that "special" edition of Adobe Creative suite or some work software that the license key is nowhere to be found and that isnt an option.

          Not to mention the idiots that don't connect to an Exchange server but for some reason have a over complex and huge Outlook setup with 90GB of mail across 9 accounts of which half haven't got the password to hand anymore.

          I have almost screamed in some users faces when they pull the old "well why should I know all this stuff?" -

          "YOU HAVE TO TAKE RESPONSIBILITY FOR SOME OF THIS FFS!"

          1. soaklord

            Re: Not work but...

            I disagree. I ran the North American customer support team for a top 5 antivirus company for years and we got to the point where we could extract the malware 100% of the time. This then meant we had a sample for analysis to improve the product. If you just format and move on, you haven't done anything to increase your overall security, you have removed a symptom not a problem. Users will be users. If you instead get the AV company you trust to protect the computer involved and get them a sample of the infection, you are likely to increase the security of all your users by default. Of course, the company I worked for offered free support for customers and we worked hard to get a sample on every infected computer we worked on.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not work but... (@soaklord)

              Sorry, you lost me at "the AV company you trust".

              Tolerate, maybe. Consider a marginally-acceptable compromise between a. just installing several pieces of malware to save time and b. underclocking the CPU to about 2Hz to simulate the performance still available while running AV, sure. Monitor closely to ensure the latest update didn't go straight to "b", insist on an Adobe or JRE install as a drive-by during updates, or open a massive attack surface in the AV suite itself, absolutely.

              Granted, a few of these don't apply to a centrally-managed corporate AV platform, but if that's all you have to deal with, congratulations.

              Trust is earned. I think the term you're looking for is "disgust". Very close pronunciation, I can see the confusion.

      2. GlenP Silver badge

        Re: Not work but...

        Trouble was somewhere along the line it had disabled the startup options, the delay was being able to get it to boot from a CD!

    2. Anonymous Coward
      Anonymous Coward

      Re: Not work but...

      Yank hard drive, usb to sata adapter to a linux box. Low level format.

      It's not hard nor time consuming. How the hell can that take you a day?

      I seriously want to know.

      1. Alan Brown Silver badge

        Re: Not work but...

        "Yank hard drive, usb to sata adapter to a linux box. Low level format."

        Not all laptops have easily accessible hard drives, even these days. :/

        1. Anonymous Coward
          Anonymous Coward

          Re: Not work but...

          "Not all laptops have easily accessible hard drives, even these days"

          True, but Ive never come across a laptop that takes more than an hour to completely dissemble...

          1. Kiwi
            Coat

            Re: Not work but...

            True, but Ive never come across a laptop that takes more than an hour to completely dissemble...

            Even faster with a decent axe. Much more satisfying too.

            Though, a functional re-assembly may be a bit harder and take a hell of a lot longer. Then again, the person who can re-assemble a laptop after axe-based disassembly will have a hugely satisfying result. And something bordering on God-like powers. Or at least patience.

        2. jelabarre59

          Re: Not work but...

          Not all laptops have easily accessible hard drives, even these days. :/

          Exactly. The in-laws gave my wife their old laptop, and I would have just pulled their HDD and put in a fresh one to to a clean install, except Dell decided to insert it into a wormhole somewhere in the bowels of the machine. Decided it was quicker to rsync the entire drive to a USB external (even at USB 2.0 speed) than to try to dismantle the sucker.

        3. Kiwi

          Re: Not work but...

          Not all laptops have easily accessible hard drives, even especially these days. :/

          FTFY

    3. Anonymous Coward
      Anonymous Coward

      Re: Not work but...

      "It still took me nearly a day to actually get to the point where I could wipe and low level format the HD"

      Wow just wow, it takes a day to boot from a clean boot device and to low level format the drive, this wasn't a 8086 laptop was it?

    4. d3vy

      Re: Not work but...

      "It still took me nearly a day to actually get to the point where I could wipe and low level format the HD"

      Steps required :

      * Boot from linux bootable CD/USB

      * Format drive

      Which part of that took the most time?

      1. Andy A

        Re: Not work but...

        You've obviously never come across the variant of UEFI Secure Boot used by some manufacturers where the only OS in the "allowed" database is the one installed on the HDD as shipped - usually Windows 8.

        It can be a bugger to get round.

      2. The IT Ghost

        Re: Not work but...

        In fairness, poster did say that the startup options had been disabled. So booting from a CD/USB may have required some...persuasion.

        Haven't run across the "disable startup options" trick yet, only seen the Gen I and II ransomwares thus far. And one scareware that merely claimed the files were encrypted and hoped for panic payment.

      3. Anonymous Coward
        Anonymous Coward

        Re: Not work but...

        "Which part of that took the most time?"

        * Boot from linux bootable CD/USB

        There are so many brain dead UEFI systems out there that will boot and boot and boot into windows before you can finally get them to go into setup to change the boot option, a couple i've only been able to change by going through the windows recovery options. I am seeing less of this these days (ya!)

      4. Anonymous Coward
        Anonymous Coward

        Re: Not work but...

        In the OP's defense I would like to cite the Toshiba Satellite Pro, which tends to throw a major league hissy fit and prevent access to the BIOS menu when it sees something it doesn't like. I know this because I just spent a few hours trying to get to the BIOS to reinstall Windows on a new HDD. No more Toshibas are now permitted in the Ajob household.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not work but...

          C650D with Phenom 2, running 10 x64 (went out and bought a 7 x64 key just to make sure)

          Only good thing is that it is airgapped thanks to the SD reader not working.

          Has anyone here managed to put 8GB or more of RAM please, as I want to use it for DL.

  5. mr_souter_Working

    a certain Scottish Council

    a few months ago, 3 times in the space of 2 weeks, same sets of users each time, despite organisation wide emails advising them not to open the attachments, not to make the PDF that suddenly opened in Word a trusted file, and not to enable the macros in that file.............. cryptolocker variant emailed in (the mail filter was seemingly unable to block it, and the proxy was unable to stop the download of the malware payload). after the second time, they listened to me and we imposed file level filtering to prevent the creation of the encrypted files. the third time, all that happened was a single computer was infected, which was promptly rebuilt. i've since left to join a different company, where the internal IT and the project management explains oh so many things.........................................

    1. Halfmad

      Re: a certain Scottish Council

      and I bet if I submit and FOI asking about cryptolocker to them they've never had an infection..

    2. phuzz Silver badge

      Re: a certain Scottish Council

      You can use Group Policy to disable all macros in Office.

      Sure, Bob in accounts will be upset because the single Excel 97 spreadsheet that he uses for his custom reports uses all manner of ill advised macros in order to produce a report that nobody even looks at any more, but fuck Bob.

      1. d3vy

        Re: a certain Scottish Council

        @phuzz

        "but fuck bob"

        At least give him a reach around too.

  6. Anonymous Coward
    Anonymous Coward

    I use to work as a tech in the education department

    I was once sent to a primary school because the Headteacher had critical documents on her laptop and she could no longer access them - obviously no backup on the server because *sigh* "she wanted to ensure the documents were kept confidential" anyway that's a side point. A little background - she's one of the better headteachers to deal with, relaxed, an easy smile and frankly she's easy on the eye. Now before anyone throws around "sexist pigdog" at me, the females in the department use to play rock/paper/scissors when deciding who got the jobs with some of our computing teachers (yes seriously!) so everyone had their favourites.

    At 9am on Monday morning I'm sat in her office whilst she goes to cover one of the classes, I fire the laptop up with a linux live CD, start browsing the user folders and within moments realise it's riddled with adware, there are shortcuts for porn sites all over the place, basically it's a complete state. I grab her documents off the desktop and onto a portable usb drive, check the contents of folders - yup more porn links and the occasional clip (that I'll probably keep and look at later - come on guys we all do it)

    When she comes back in I've already re-imaged the PC and am in the process of scanning the documents with an updated AV product etc. Nothing else found. Then I ask the obvious - Did she let anyone else use her PC at the weekend?

    No

    Are you sure?

    Yes, I live alone, why?

    and that's me sweating, how to explain to a very attractive woman, in her mid 40 that her porn browsing habits got her machine riddled with viruses, adware and PUPs?

    I quickly explain the AV was out of date and scarper, like a true IT professional.

    1. Anonymous Coward
      Anonymous Coward

      Re: I use to work as a tech in the education department

      "and that's me sweating, how to explain to a very attractive woman, in her mid 40 that her porn browsing habits got her machine riddled with viruses, adware and PUPs?"

      If my home connection is every put under detailed scrutiny I am going to have a hard time explaining some of the material that gets accessed. Some things just aren't going to be believed when you say "It wasn't me, it was my wife"...and I'm not easily shocked.

    2. HmmmYes

      Re: I use to work as a tech in the education department

      To be honest, the adware and porn adware seem to come from all sites.

      And email.

      She could be entirely innocent.

      I really dont know why people still bother with Windows.

      1. Anonymous Coward
        Anonymous Coward

        Re: I use to work as a tech in the education department

        Alternatives? Linux - in many cases people are confused by which one to go for and not aware of the plethora of reviews etc online.

        Mac - Some people love it, others hate it. Personally I'm a bit of both as someone who spent years fixing them.

        Whether we like it or not Windows is the most commonly supported OS, in my time in IT (work in IT security now) linux simply wasn't used by most IT staff. Even these days I know 80%+ my own IT department have probably never so much as booted off a linux live CD.

        End users typically are dictated to, either by the "must procure via IT" route or simply by the virtue of getting no support at all if they don't toe the line.

    3. Anonymous Coward
      Anonymous Coward

      Re: I use to work as a tech in the education department

      screw that, have a quick squizz, make sure there is nothing really wrong, then propose marriage!

      1. Scott 53

        Re: I use to work as a tech in the education department

        "have a quick squizz"

        You might want to consult urbandictionary before giving that advice again

    4. Alan Brown Silver badge

      Re: I use to work as a tech in the education department

      "and that's me sweating, how to explain to a very attractive woman, in her mid 40 that her porn browsing habits got her machine riddled with viruses, adware and PUPs?"

      If she's browsing porn sites then you don't need to be sweating it.

      Been there, done that, had a chat about how lots of them are trojan horses and if you're going to spend time trawling these sites you need to use scriptblockers etc etc.

      People are people. As long as you don't play "prude" it's relatively easy.

      I get more flak for my lectures to people who've been told not to open XYZ attachments and do it anyway or disable the antivirus that's wraning the file is infected "because it might contain something important" (in one case, twice). Such people go to the end of the queue. Once it's clear that they don't listen, the lesson usually only sinks in if they get a large bill or maximum inconvenience.

      Some people really don't like being told they're the reason that 30 other staff can't do any work at an effective cost of £1000 per person per day.

      As for C-level staff or other manglement: Form a good relationship with the company accountant and/or finances dept. When this kind of thing happens, have a chat and explain the costs/inconvenience/losses. You'd be amazed how fast they can school the most stubborn lusers.

      1. psychonaut

        Re: I use to work as a tech in the education department

        she was looking at trojan horse porn? marry her now!

    5. JimboSmith Silver badge

      Re: I use to work as a tech in the education department

      I worked for a company where we ended up infected by one of those outlook loving viruses that spread by just opening the email. So after someone had opened an infected email sent by someone they knew and trusted (who had also been infected) it spread like wildfire through the office because everyone opening one was then emailing everyone else with it. It got sent to everyone at the parent company as well which made us popular. The only good news on that front was they were using Novel Groupwise at the time and that meant it didn't affect them. So IT support basically said everyone down tools please and leave your computers on. Some people used the time to have meetings, some went out for an early lunch, some went to the pub (my team), some went to sleep etc.

      By the end of the day the IT support staff have worked from one end of the office to the other cleaning the infected machines and removing all traces of this thing. Fast forward a few months and we've got a summer intern in the building doing some work. We'd set up an account years ago for the use of the interns whilst they were there so that they didn't have to have have one with their names attached. They were also told no personal email (less chance of smut or viruses) on that as it will be used by other people after they've left. So first day of new intern and there's a small induction session including fire procedures, evacuation routes and general health & safety stuff etc. That ended at 11am and it wasn't five minutes later after they've opened their email that the familiar messages start popping into peoples mailboxes. They'd cleaned all the machines but not all the mailboxes. Someone who'd worked out what would happen next made a break for the pub at the sight of the first mail appearing. He was very disappointed when he was called back before he could order the first pint. No one was now dumb enough (oh alright someone else had but it had only got their machine) to open the emails and it was dealt with swiftly.

    6. Anonymous Coward
      Anonymous Coward

      Re: I use to work as a tech in the education department

      I know someone who visits such sites because 'Er Indoors' actually travels a lot for business so he has free time on his hands so to speak and no sweet loving for many days at a time. I suggested that he bought himself a second hand Android tablet cheaply and consumes that way to safeguard the home computer. If the tablet is infected there's no major problems as it wasn't very expensive and easily replaceable. He's disabled the cameras (again at my suggestion) with some black electrical tape so no chance of being snapped by a malicious download. He also doesn't tell his wife about the existence of that tablet!

      1. Anonymous Coward
        Anonymous Coward

        Re: I use to work as a tech in the education department

        Brilliantly a family member suggested I go round and have a look at a computer belonging to a friend of a friend back in the days of dial up. The lady I met told me she was concerned that her (son 10-11yrs old from memory) was viewing porn on the family computer. She'd discounted her daughter so it had to be her son. She told me that she'd clicked on Internet Explorer one morning and found it was still open and there was a topless woman on the website offering a tour of the site.

        She wanted proof it was him so she could confront and scold her male offspring. Well whoever it was doing this was smutty surfing was deleting the browser history and there was only IE on the machine. So digging a bit deeper I looked at the .dat file and was surprised to find that there was only one smutty site surfed before 9pm and only one page. After nine however there was tons of them covering a "broad range" of interests.

        I asked when the son went to bed and he was never up past 8pm so wasn't him. The daughter stayed up later but not past 9pm so I told her that she could discount the kids. Her daughter came in to use the computer and admitted that she'd clicked on an altavista link days earlier that had looked innocuous but wasn't. I said she would need to talk to whoever used the computer after the children had gone to bed. She said "Oh I wish you could be here when my husband gets home he's going to get such a bollocking." I then had to explain how she could present this discovery to her nearest and dearest so that he couldn't get out of it. We also did a virus scan and thankfully it was clean.

    7. Montreal Sean

      Re: I use to work as a tech in the education department

      Porn links eh?

      Head teacher? Fnar fnar.

  7. Anonymous Coward
    Anonymous Coward

    First days of a new job

    This was 1998, new job. So far, I never had worked on a Windows PC, only various Unix workstations ... I of course hated (still today) Windows.

    3rd day of this new job, my Win98 PC got infected by a virus, which knocked out the AV. One day lost due to that. Feck you, Windows.

  8. EddieD

    Petards.

    Back in the 80s I shared a flat with a guy doing PhD on computer viruses. He took a floppy down to the Atari lab to copy some software for our own machine, and managed to infect the entire lab with a virus.

    The lab manager was very unimpressed.

    Ah well, at least we got given some good anti-virus software and he got material for his thesis.

    1. The IT Ghost

      Re: Petards.

      Not a virus, but IT fellow at a place where I was contracting had come up with a plan...insert a DVD that had just enough on it to boot the machine, format the C: drive, link up to the network and pull down the a disc image (This was the mid 90s, this was pretty clever by the standards of the time). Infected desktop? Pop the disc in, reboot, and watch the magic.

      He gets everyone gathered for his big demo. Hooks his laptop to a projector, adjust the image just so, pops the desktop imaging disc in, reboots...and at about 2% of the format, goes int a blind panic realizing the desktop image disc didn't have the network drivers for his laptop.

      Oops.

      Unfortunately, he hadn't gotten around to working on the laptop imaging project yet, so did was stuck doing his recovery the hard way.

  9. chivo243 Silver badge
    Facepalm

    NImda and Kleez

    Had the both on an NT4 network at the same time... disconnected every host from the network, ran the clean scripts from floppy, connected all hosts again, and BAM back to square one... third time worked a charm.

    1. POKE 649,0

      Re: NImda and Kleez

      aaah Nimda... getting all nostalgic here.

      Also remember Blaster/Welchia virus when I worked at a large UK based PC Retailer in their "PC Clinic"... As soon as you switched a new XP PC on and put it on the internet straight out of the box it would pick up Blaster.

      Couple of cases of Crypto here recently which we managed to defeat... But the biggest outbreak I've witnessed here was Pinkslip back in 2011 I think. That was caused by a USB stick being plugged into a laptop Down Under and it managed to screw up lots of stuff globally. That went on for weeks.

      Going back to my retail days though I did love a good virus infection tbh, and used to enjoy manual removals. Used to set our AV...F-Prot back then to detect only and was a great learning experience rifling through the OS.

      Aaah the good old days!!!

      1. d3vy

        Re: NImda and Kleez

        "Also remember Blaster/Welchia virus when I worked at a large UK "

        Yeah, Similar story - phone support - trying to talk users through downloading the hotfix whilst having a command prompt open ready to type "SHUTDOWN -A" repeatedly was hilarious.

        1. Sandtitz Silver badge
          Happy

          Re: NImda and Kleez @d3vy

          "Yeah, Similar story - phone support - trying to talk users through downloading the hotfix whilst having a command prompt open ready to type "SHUTDOWN -A" repeatedly was hilarious."

          That would have been the extra hard way of doing things.

          I just instructed users to turn on the built-in firewall in XP.

    2. onceuponatime

      Re: NImda and Kleez

      I got bored and reloaded my desktop back in the blaster days. Decided to see how long it would take it to get infected (since at that point I knew how to remove it manually) and it took approximately 23 seconds on a 56k dial up connection. I was impressed and at the time amused. Took 5 minutes to clean but still. :)

  10. Anonymous Coward
    Anonymous Coward

    Been there, done that!

    Was given a floppy disk to install a remote monitoring client on company PC's and part way through someone complained of a non bootable machine. Continued with task and then several more were in that position. Retraced steps and yup, all had the monitoring client installed. Didn't take long to realise the disk had previously been infected and not formatted before use (though formatting may not have made a difference).

  11. Chris King
    Facepalm

    Some men just want to watch the world burn...

    I once had to deal with an infected laptop, where the user knew a download was likely to be infected (cracked software), but he still wanted to see what happened if he clicked on it anyway.

    He'd also turned off the AV because (his words) "it got in my way".

    Icon says it all.

    1. DropBear

      Re: Some men just want to watch the world burn...

      To be fair, they totally DO get in one's way; to the point where I didn't even bother installing any of them on my current system - the mere thought of the incessant HDD thrashing every time I move the mouse was driving me insane. I'm still looking for anything that's strictly ___on demand only___ and isn't Malwarebytes or ClamAV but there just isn't anything else that will actually refrain from "shielding" my system in 127 different ways worming their way into everything from unskippable boot scans to network filtering to host files to proxying mail, active 24/7 even when everything is nominally off. Ad blocking (and not clicking on stupid stuff) worked so far, but I'm looking to sidestep to Mint soon anyway and I do have working long-term backups.

    2. Moosh

      Re: Some men just want to watch the world burn...

      The vast majority of cracks flag false positives on anti-virus softwares. I've never had a single issue with cracks, and each one triggered the anti virus.

      Then again, I only used highly rated torrents from private trackers.

      1. imaginarynumber

        Re: Some men just want to watch the world burn...

        "The vast majority of cracks flag false positives on anti-virus softwares. I've never had a single issue with cracks, and each one triggered the anti virus."

        Agreed.

        I suspect that Adobe/MS/whoever pay the AV firms to flag crack and serial number generators as being malware.

        Much like they refused to flag and remove the porn/gambling related Micro Bill System hi-jackware. In the early days, the AV vendors were worried that flagging it would result in them being sued by MBS (AKA Platte Media).

        From memory, the only off the shelf AV package that would remove MBS was the paid for version of Prevx.

  12. Anonymous Coward
    Anonymous Coward

    Just yesterday..

    Just yesterday.. user sends in a suspect email to the help desk. Bright spark n00b IT helpdesk employee decides to download the ZIP attachment, expand it, then double-click on the attached HTML file. Boom.

    As it happens, it had some difficulty working out the payload. Helpdesk guy nicely side-stepped a whole load of analysis by just opening the damned file.

  13. Alien8n

    Floppy disks

    We had an engineer at a previous company who managed to infect the network after putting the floppy disk she'd kept from University into her PC.

  14. DNTP

    It's going to be a bad day...

    ...when the first email you see Monday morning is an innocuous little thing from the director, asking "I have a file I can't open on my personal laptop, the extension is .osiris."

    Hey, if they want to pay me for a couple of easy hours to do a nuke, reinstall, and backup restore, instead of my more difficult actual job... they're the management.

    1. onceuponatime

      Re: It's going to be a bad day...

      Queue every 30 minutes (if you are lucky) from the secretary: "Is it done yet? MR Boss really needs his computer!"

  15. Anonymous Coward
    Anonymous Coward

    No problems here

    I worked in the Philippines when the ILOVEYOU "virus" hit. It originated there and was more of a cunning mindhack than the originators could have imagined. SOOO many single women HOPING the boss secretly had the hots for them. And then it went global. At least it was just a nuisance and not something deadly. Days of innocence!

    We had strict policies against password sharing, and one CXO who thought, rightly, as it turned out, that he could do whatever he liked. Network scans found file-sharing software installed by his son on his laptop TWICE (Limewire etc.) He got away with it both times, despite fairly serious penalties for more junior people for policy breaches, because the CEO couldn't understand it and didn't want to deal with it. If you're a big enough jerk you can get away with things because others don't want to pick a fight. It applies on the boards of banks too (see: RBS).

    1. tiggity Silver badge

      Re: No problems here

      Ah, ILY

      I remember a place I worked and a programmer being stupid enough to open that.

      Caused great amusement as he was a rabid Christian.

      Rest of us could not decide on most likely reason he had opened it:

      a) That's the sort of happy clappy type messages evangelical god botherers send each other

      b) He secretly wanted a bit on the side

      c) He was just stupid

      d) Roll your own combinations of the above

      1. allthecoolshortnamesweretaken

        Re: No problems here

        b) + c)

  16. 2Fat2Bald

    I've worked in a place (several years back) where they had a strictly enforced security policy. If IT reported someone for doing something against the rules, they got fired. No ifs, buts, maybes or excuses. The rules were sensible things like not using personal email on work computers, no USB devices and so on. When there was a virus infection we had to write a report, apportioning blame where necessary. The company realised that the information was their lifeblood and if some daft git brought their personal computer into the office, plugged it in and it infected the network the loss of time, confidence, and money could be far worse than stuff for which you'd expect to be fired (like torching the building). Everyone watched a video on this on the first day, and signed a piece of paper agreeing to the policy. IT were given some discretion on whether to offer advice or report stuff - depending on how egregious and intentional the transgression was.

    You know how often we did this? - virtually never. Because people knew it wasn't worth the risk. Seeing one-or-two colleagues a year (of several thousand) marched out of the building by security made sure people didn't take the mick. If IT came down and said "Look - you can't plug that into your computer" - they listened. Breaking the rules wasn't a "silly computer thing", it was your job. And a friendly warning from IT was sure to be listened to as the next one would be from Security and rather less friendly.

    Even quite senior managers respected security protocols and used to come to IT to ask advice and permission before doing things that might impact network security. Sometimes the answer was no, but more often it was "Yes" or "Yes, but you need to do it like this..." or "Oh, we know a much better way of this this - let me show you".

  17. Anonymous Coward
    Anonymous Coward

    Not a new problem

    I remember, back in the day, I was working for a company known usually by a 3-letter acronym, when our department received (from a client usually known by a 4-letter acronym) a CD-ROM whose contents consisted almost entirely of malware. Despite the proper and prominent labelling on the CD, my boss had put it into his machine and I spotted him reading from a file with the name READ-THIS-OR-DIE.doc . I had to ask him whether he had browsed any other file on the CD-ROM, and then I had to suggest that doing so would be a very bad idea...

  18. Anonymous Coward
    Anonymous Coward

    SCADA infecting the office LAN

    I had the opposite problem to the OP with SCADA. I was doing some fault finding on a substation control system and had to collect logs of the servers (running a mutilated version of XP). When I put the USB stick into my work laptop back in the office the AV software had a panic attack (no virus actually ran). Shortly followed by an incoming call from the IT security people.

    On closer investigation it turned out all the substation control PCs had viruses and a few even had keygens and cracks that were used in the commissioning/construction process by the OEM. And these were supplied from a VERY well-known vendor that did the construction in a first-world country. Linux-based AV boot-CDs and HDD imaging tools saved the day.

    And to add insult to the injury the OEM specifically said there would be no warranty if AV was installed on the server because it tended to break the unorthodox mangled version of XP they used (they somehow trapped Ctrl-Alt-Del, and it would only work if logged into SCADA with admin rights).

    [Anon since the substations are still up and running ... goodness knows how]

  19. Conundrum1885

    Re. Nuke and Pave

    I have resorted to such extreme measures before, because there really *are* horrors which are some unholy hybrid of such magnitude that they can survive even a zerofill (tried it from DOS boot disk even) and manifest as consistent patterns of slow (50msec) sectors when doing a diagnostic read.

    Conclusion: this has to be the nastiest malware EVER because just putting it in my previously working test machine hosed the BIOS and eventually caused vertical lines and a total memory failure (tm)

    that didn't work even when RAM, CPU and every other removable part was changed :-( :-(

    I've also had a variant of this eat pendrives, possibly the same malware because the affected units blink and flicker their status LED almost in an organic pattern.

    All of them use the same chipset (PL23xx) and possibly this happened at the factory because they never worked right.

    Removing the Flash chips made no difference so its clearly in the controller, if anyone wants them please PM me. (darnstadium)

  20. Conundrum1885

    Ironically

    It seems to be self inflicted: someone evidently read my Wikipedia edits about (hack) and wrote a virus to destroy any machines with the vulnerability mentioned.

    Pretty funny really, nothing of value was lost and I learned a valuable lesson.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like