Computer Virus Disinfection in Nebula

Topics on this page

What is a virus, and how does it spread?
What you need to know (and do)
What happened to my attachment, and how do I get it back?
Removing viruses

What is a virus, and how does it spread?

There is some excellent information at the UW Technology Protecting your computer from viruses" page. A virus's most common "vector of infection" currently is via an email attachment. Viruses rely on a user to spread: opening the infected attachment actually runs the virus program. The virus then sends itself to other computers (usually by emailing itself to any email addresses found on the host computer). It can also:

Disable any antivirus software that's running.
Damage and delete files on the available drives of the host computer.
Send information to web servers or install software to distribute other files (including copyrighted material). Often, this behavior can overwhelm computer networks.
Record keystrokes or steal sensitive data such as passwords.

This behavior is different from a worm, which can spread itself across a computer network, or a trojan, which is used to break into a host computer.

What you need to know (and do)

Do not open unknown attachments, ever, even if they profess to be from Microsoft, a UW entity, or some kind-hearted soul who wants you to open the attachment to clean your infected system!
Leave your system on 24/7, so it receives virus updates regularly.
Use Ctrl-Alt-Del and choose "Log Off" at the end of your shift each day. When you log in at the beginning of the next shift, you ensure that you have the latest patches installed.
Any email claiming that you have a virus should be ignored, including those coming from campus sources. The only exception is if it's from an individual Nebula support person, and even that will never have a legitimate attachment. For more fun reading on this, see the UW Technology pages on "Who sent this email using my computer or UWNet ID?" and "What should I do about notices of email viruses?"
Do not delete files from your system based on an email message, and do not re-send such messages to others. Check the Nebula Hoax page for more information.
The most reliable source of information about a virus infection will come from your computer's McAfee program. If this tells you that you have a virus, do notify Nebula Support.

What happened to my attachment, and how do I get it back?

There are a variety of strategies to keep users from opening attachments accidentally. One such strategy is what UW has done recently: strip possibly problematic attachments from all email. The signifier of "problematic" that we've chosen is file name extension. These are the three characters that follow the filename of typical documents. The original intention behind file extensions was to tie files to particular programs. This gave you an easy way to launch the appropriate program: anything ending in .DOC opens MS Word; .XLS opens Excel, .ZIP opens a decompressor program. Unfortunately, this "auto-open" means the virus' damaging programming can be started just by clicking on it.

The current list of attachments that are being stripped is found on the UW Technology Alerts page. For more information about handling attachments, please see the Handling Attachments page.

Removing Viruses

Most viruses can be detected and removed using virus detection software such as McAfee VirusScan. In Nebula, we configure this package to be loaded at startup and watch for any signs of viruses. If McAfee VirusScan detects a virus in a file you're working with, it will notify you and give you some basic instructions on what to do next. You can also check the list below for instructions on dealing with some of the more pervasive virus infections. If you get a virus, you should always notify the person who gave you the file, by telephone if possible, so they can get rid of it on their computer, too.

If you are not sure if your computer is virus-free, try removing a virus from the hard disk as described below.

Shut down your machine, then start it up and log in; this ensures you have the latest virus update files on your system.
Choose Start - Programs - Network Associates - VirusScan to begin a virus scan on your computer.
In the box labeled "Scan in", make sure the drive you wish to search for viruses is selected, typically C:. If it isn't, click "Browse" and choose the right drive (and folder, if desired). Do not scan the I:\groups or H: drives; they are scanned regularly by the engineers.
Note that the "Include subfolders" checkbox should be selected, so Viruscan looks through all subdirectories of the location you've chosen.
Note also that by default only program files are scanned; this includes Word and Excel document files. If you wish to scan all files, click the "All files" radio button.
Click "Scan Now" to start the search.
If a virus is found, click on the file name and choose Clean Infected Files.
If Viruscan reports that it cannot clean a file, close the box and restart your computer. Then repeat the scan. If Viruscan repeats the report, contact Nebula Support. If possible, use the Nebula Support icon on your desktop; this will include other information about your system that may help to solve the problem.
Remember, don't respond to an email telling you that you have a virus. It's either a hoax (in which case you just get more spam now that they know your address is valid), or a response to an infected message that only looks like it came from you--the latest viruses disguise their "From" addresses.

Please send email to nebula-support at cac.washington.edu if you have questions about whether a virus has been removed, or you are unable to clean a file which is labeled infected by the anti-virus software.