Major worm attack – Lenovo ThinkPad R61i User Manual

Major worm attack

This example demonstrates one possible approach to combat a major virus. The
basic approach is to turn off networking, then reboot to Rescue and Recovery,
retrieve fixes, perform repairs, then boot back to Windows XP, install patches, and
finally restore networking. A single message might be used to perform all of these
functions through the use of flag files and the RETRYONERROR command.
1.

Lockdown phase
To accomplish lockdown phase, inform the user what is about to happen. If the
attack is not extremely serious, the administrator can give the user the option
to defer the fix until later. In the most conservative case, this phase would be
used to disable networking and provide a short window, such as 15 minutes,
for the user to save work in progress. The RETRYONERROR command is used
to keep the script running and then the machine can be rebooted into the
Rescue and Recovery environment.

2.

Code distribution phase an repair phase
Now that the threat of infection has been removed by disabling the network
and rebooting to Rescue and Recovery, additional code can be retrieved and
repairs accomplished. The network can be enabled or only certain addresses
can be permitted for the time required to retrieve additional files. While in
Rescue and Recovery, virus files can be removed and the registry can be
cleaned up. Unfortunately, installing new software or patches is not possible
because the patches assume that Windows XP is running. With networking still
disabled and all virus code removed, it is safe to reboot to Windows XP to
complete repairs. A tag file written at this time directs the script to the patch
section after the reboot.

122

Rescue and Recovery 4.21 Deployment Guide