Saturday, June 19, 2004
My home PC had the flu ;-)
For the past two weeks our (my sister's actually) home PC has been down with the flu and the doctor (Norton Anti-virus) seems to be (unavailable) out of the town.
My home PC is a HP Pavilion t530i (with Windows XP HE) and has Norton Anti-virus 2004 pre-installed on it. Suddenly my sister observed that when she would connect to the internet (yes, we still use dial-up using the modem connection here, in India), she would get an error for lsass.exe process. Her first encounter with an Extra-terrestrial! Just kidding, a PC virus.
Later in the evening after coming back from work, she mentioned it to me. And we tried to figure it out. However, given that after connecting to the internet the PC would shutdown, we could not achieve much from the same machine. As a resort, we used another PC to get more details regarding this from the internet. We found out that a virus exploited some vulnerability in lsass.exe causing the machine to shutdown in a minute.
Symantec security response indicated that our PC was infected with the 'Sasser' virus. It contained explicit clear steps to ensure that you would remain connected to the internet and those helped. After following those steps we were able to increase the shutdown time to nearly 2:30 hours. Well, we needed that much time (to update the virus definitions and download the fix Sasser tool) given that the speeds for dial-up are 3 kbps. No, I am not kidding now.
We finally managed to get rid of Sasser by running the fix tool given by Norton folks and re-booted the machine. Just to find that next time we would connect to the internet we could not access security response pages from Symantec, from our home PC (we had earlier used another machine). Also, we observed that we could not run regedit.exe (it used to start all right, but the window would just vanish in a couple of minutes). Again the PC was infected and the doctor was no-where to be seen. Yes, I was not able to start Norton anti-virus, same behavior, as regedit. (bad luck, no live update, no scan :( ).
I was wondering if IE on my PC was now infected since it would not allow me to visit Symantec site. However, all other site (like www.google.com) would work. Actually none of the anti-virus sites were available.
We were unable to figure out what had infected our system.
Today, finally I found the following link in one of the desperate searches done on google.com
http://www.experts-exchange.com/Security/Win_Security/Q_20935886.html
[Cannot access any Anti-virus websites, live updates etc.]
Boy, was I glad to find that there was some expert opinion available on the issue we were facing. I quickly checked up the 'hosts' file and found offending entries like
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
Obviously this meant that IE was not infected, the address resolution, resolved the address for these sites to my machine :) My machine never runs the webserver for Symantec corporation and hence my browser was returning 'Page cannot be displayed'. Nice trick, I should have guessed it before. Ofcourse, virus writers want to achieve the most, with little coding. By simply modifying the 'hosts' file, they had managed to fool me in to thinking that IE was infected.
Now I started looking for any files in my %SYSTEM% folder that were executables and had recent time stamps. I found the following files had recent time stamps:
wnetlogin.exe
cool.exe
supu.exe
etc...
Another quick search on google revealed that these are potential viruses, namely W32.Donk.R. I had cleaned up the 'hosts' file and that allowed me to visit the Symantec security response pages by now. However, Norton anti-virus still would not start and hence no live-update. The security page for W32.Donk.R (link below) described the registry keys updated by the virus
http://www.symantec.com.br/avcenter/venc/data/w32.donk.r.html
After the registry entries were cleaned up and another reboot we finally got Norton Antivirus to run. Hooray!
Just to find that our subscription to live-update has expired. Well, we renewed it and finally give our PC an anti-biotic, pain-killer for the much needed relief :)
Hush, finally the doctor is back in town and patients are recovering already :)
My home PC is a HP Pavilion t530i (with Windows XP HE) and has Norton Anti-virus 2004 pre-installed on it. Suddenly my sister observed that when she would connect to the internet (yes, we still use dial-up using the modem connection here, in India), she would get an error for lsass.exe process. Her first encounter with an Extra-terrestrial! Just kidding, a PC virus.
Later in the evening after coming back from work, she mentioned it to me. And we tried to figure it out. However, given that after connecting to the internet the PC would shutdown, we could not achieve much from the same machine. As a resort, we used another PC to get more details regarding this from the internet. We found out that a virus exploited some vulnerability in lsass.exe causing the machine to shutdown in a minute.
Symantec security response indicated that our PC was infected with the 'Sasser' virus. It contained explicit clear steps to ensure that you would remain connected to the internet and those helped. After following those steps we were able to increase the shutdown time to nearly 2:30 hours. Well, we needed that much time (to update the virus definitions and download the fix Sasser tool) given that the speeds for dial-up are 3 kbps. No, I am not kidding now.
We finally managed to get rid of Sasser by running the fix tool given by Norton folks and re-booted the machine. Just to find that next time we would connect to the internet we could not access security response pages from Symantec, from our home PC (we had earlier used another machine). Also, we observed that we could not run regedit.exe (it used to start all right, but the window would just vanish in a couple of minutes). Again the PC was infected and the doctor was no-where to be seen. Yes, I was not able to start Norton anti-virus, same behavior, as regedit. (bad luck, no live update, no scan :( ).
I was wondering if IE on my PC was now infected since it would not allow me to visit Symantec site. However, all other site (like www.google.com) would work. Actually none of the anti-virus sites were available.
We were unable to figure out what had infected our system.
Today, finally I found the following link in one of the desperate searches done on google.com
http://www.experts-exchange.com/Security/Win_Security/Q_20935886.html
[Cannot access any Anti-virus websites, live updates etc.]
Boy, was I glad to find that there was some expert opinion available on the issue we were facing. I quickly checked up the 'hosts' file and found offending entries like
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
Obviously this meant that IE was not infected, the address resolution, resolved the address for these sites to my machine :) My machine never runs the webserver for Symantec corporation and hence my browser was returning 'Page cannot be displayed'. Nice trick, I should have guessed it before. Ofcourse, virus writers want to achieve the most, with little coding. By simply modifying the 'hosts' file, they had managed to fool me in to thinking that IE was infected.
Now I started looking for any files in my %SYSTEM% folder that were executables and had recent time stamps. I found the following files had recent time stamps:
wnetlogin.exe
cool.exe
supu.exe
etc...
Another quick search on google revealed that these are potential viruses, namely W32.Donk.R. I had cleaned up the 'hosts' file and that allowed me to visit the Symantec security response pages by now. However, Norton anti-virus still would not start and hence no live-update. The security page for W32.Donk.R (link below) described the registry keys updated by the virus
http://www.symantec.com.br/avcenter/venc/data/w32.donk.r.html
After the registry entries were cleaned up and another reboot we finally got Norton Antivirus to run. Hooray!
Just to find that our subscription to live-update has expired. Well, we renewed it and finally give our PC an anti-biotic, pain-killer for the much needed relief :)
Hush, finally the doctor is back in town and patients are recovering already :)
Labels: virus
Tuesday, June 08, 2004
Be observant and sensitive in the workplace...
It is really important for a manager to be observant and watchful. S/he should have an eye that captures relevant details from any situation.
I do not mean that the manager should do policing. Well, you might say that in some cases it is necessary/must. Yes, let me put it delicately that you need to "micro-manage". That reminds of a line from the book 'Good to great' from 'Jim Collins', if you need to micro-manage a person, you have made a hiring mistake.
Agreed, we all need to micro-manage at times. Steering back to my original point, it is important for the manager to be observant.
I do not mean that the manager should do policing. Well, you might say that in some cases it is necessary/must. Yes, let me put it delicately that you need to "micro-manage". That reminds of a line from the book 'Good to great' from 'Jim Collins', if you need to micro-manage a person, you have made a hiring mistake.
Agreed, we all need to micro-manage at times. Steering back to my original point, it is important for the manager to be observant.
Labels: management
Monday, June 07, 2004
Another hard day at work squashing bugs.
It was truly an interesting day at work today. I had not been able to reproduce one of the software bugs assigned to me and today, just two days prior to beta, the bug springs back to life!
At this stage the bug seems to be some creature, like shown in the movie Men In Black. And its back in action.
The problem used to surface only when we ran our component on ports less than 1024 on Solaris. I am sure it would have helped if I would have known the scenario earlier (any moron knows that ports less than 1k are reserved on Unix flavours). Then I found another race condition in our component. The race condition issue was another bug in incubation. I am sure it was waiting for the right time to strike. However, it was luckily discovered earlier (rather than at the customers end to make things worse).
These events resulted in the day stretching in to the night at office. But, I think I have things in control and should be able to squash the bugs out of the repository tomorrow :)
Lessons learned:
- From the port related bug, just because you could not reproduce it, does not mean it does not exist!
- From the race condition issue, you can never be too carefull while writing multi-threaded programs :)
I really appreciate the multi-threading debugging support in VC7. One can freeze/thaw/switch active threads on the click of a button. How I wish good old gdb (5.3) on Solaris would support the same...
I know its no piece of cake writing a debugger. For a wonderful explanation of what is involved read, 'Debugging Application' by John Robbins.
Good night and sweet dreams my best friend the Debugger :)
At this stage the bug seems to be some creature, like shown in the movie Men In Black. And its back in action.
The problem used to surface only when we ran our component on ports less than 1024 on Solaris. I am sure it would have helped if I would have known the scenario earlier (any moron knows that ports less than 1k are reserved on Unix flavours). Then I found another race condition in our component. The race condition issue was another bug in incubation. I am sure it was waiting for the right time to strike. However, it was luckily discovered earlier (rather than at the customers end to make things worse).
These events resulted in the day stretching in to the night at office. But, I think I have things in control and should be able to squash the bugs out of the repository tomorrow :)
Lessons learned:
- From the port related bug, just because you could not reproduce it, does not mean it does not exist!
- From the race condition issue, you can never be too carefull while writing multi-threaded programs :)
I really appreciate the multi-threading debugging support in VC7. One can freeze/thaw/switch active threads on the click of a button. How I wish good old gdb (5.3) on Solaris would support the same...
I know its no piece of cake writing a debugger. For a wonderful explanation of what is involved read, 'Debugging Application' by John Robbins.
Good night and sweet dreams my best friend the Debugger :)
Labels: programming, software engineering
Saturday, June 05, 2004
3 easy steps done .... blog ready for use
That's exactly what it took (following the 3 easy steps) for creating my blog. Well, I would like to write more but I have got scrambled eggs waiting for me on the dining table with family :)
More later ....
More later ....