Be ready to react when an e-mail virus strikes

One of the most common ways for organizations to suffer a virus attack is via e-mail. Since the Melissa virus first raised the issue on a large scale in March 1999, e-mail viruses have grown in "popularity." If one hasn't struck your organization yet, it probably will soon. What you need is a strategy to react and minimize the disruption. To help you follow the appropriate steps for recovering from an e-mail virus infection, we've put together an e-mail virus attack checklist, which you can download for free.

Don't panic
As soon as you notice something odd and virus-like going on in your e-mail system, it's tempting to reach over and pull the network cable out of the e-mail server to prevent any virus from getting loose. Although that might be an emotionally satisfying reaction, it's not one that best minimizes the impact of an e-mail virus attack.

The best way to deal with an e-mail virus outbreak is to take a measured, step-by-step approach. Some of the things you should do include the following:

• Identify the problem.
• Communicate with end users.
• Stop the virus.
• Clean up the mess.
• Perform a postmortem.
• Prepare for the next attack.

Identify the problem
E-mail viruses can take three forms: viruses, worms, and Trojans. Knowing what kind of virus you're dealing with will help you figure out the severity. Also, don't forget that some virus warnings are actually hoaxes. Make sure that you're dealing with an actual virus before you go into firefighting mode.

Once you know that you're dealing with an actual virus, find out where it came from. If you can, find out who e-mailed it and who in the organization got the e-mail first. This will help you warn the people that your organization deals with that they may be facing an attack. You may also be able to find out how they handled the attack to get some clues to help solve the problem.

Remember that different e-mail systems are affected by different viruses. For example, a virus that reacts one way on Outlook/Exchange may not affect GroupWise and GroupWise clients. Do some research to learn how the virus you're facing affects the e-mail system you're using.

You should also know what virus scanner is running on both your e-mail server and your clients, in case you need emergency updates. Check with the virus protection maker to see whether it has provided a patch for the virus you've been hit by and whether you need to obtain updates or patches.

Communicate with end users
Let users know there's an e-mail virus attacking the network, but do so in a manner that doesn't cause panic. If need be, use instant messages or phone calls for notification. In a small organization, you may be able to deliver the warnings in person.

Find out who has been infected with the virus and who hasn't. It may help identify the source or the virus and how it's spreading in your organization.

Stop the virus
If the virus is spreading fast, you may need to immediately disconnect your e-mail server from the network. Some viruses propagate from client workstation to client workstation. If many clients are affected, you may need to bring down the whole network. The fastest way to do so may be by just shutting down hubs, switches, and routers in your organization. Of course, you should warn users before doing this.

If you haven't recently obtained virus signature updates for the server, do so immediately using a machine that hasn't been infected. You may also need to download any special cleaning utilities the vendor has. After you have the utilities, apply and run them.

Clean up the mess
Run the updated virus scanner or utilities you've downloaded against the mail server and any affected workstations. You may need to use a utility like IISScan or ExMerge from Microsoft to physically delete infected messages.

Some viruses also damage user mailboxes. Make sure you have backups handy to recover the mailboxes.

You may need to completely reinstall the operating system, applications, and e-mail clients on client workstations. Make sure you have backups handy for those as well.

Perform a post-mortem
After you've dealt with the attack and have things back to normal, go over your notes. When you're not in the middle of the attack, you'll have more time to identify where the attack came from and to decide how to react in the future.

Prepare for the next attack
Naturally, the best way to deal with an e-mail virus attack is to avoid facing it to begin with. Some ways to minimize your vulnerability in the future include:

• Ensuring that you have an e-mail virus scanner on your e-mail server as well as on your clients.
• Making sure that all virus signature updates are current.
• Educating users about opening attachments to e-mails.
• Creating an alternate communication structure in your organization for when e-mail fails.
• Verifying that your backup routine functions properly and that backups remain current.

Because Outlook and Exchange are the most popular targets for e-mail virus attacks, some organizations have even gone as far as replacing them with Lotus Domino, Novell GroupWise, or a Linux-based e-mail system. Depending on the size of your organization, this may be a consideration for you as well.

TechRepublic originally published this article on 8 October 2003.