S 6.23 Procedures in the event of computer virus infection

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, IT users

If there is reason to assume that a computer has been infected by viruses (e.g. longer program files, inexplicable system behaviour, untraceable files, modified file contents, continuous reduction of storage space although no data has been saved), the following steps are to be taken for virus detection and subsequent eradication:

1. Keep calm.

2. If possible, call upon an expert attending to PCs for help.

3. Close the current programs and switch the computer off.

4. Insert a flawless, write-protected system floppy disk (the emergency floppy disk, see S 6.24 PC emergency floppy disk) in drive A.

5. Boot the computer from this diskette (if required, first change the booting sequence in the CMOS setup, cf. S 4.84 Use of BIOS security mechanisms).

6. Check the computer with a current virus scanning program to establish whether the computer has been affected by a virus and if so, which computer virus it is.

7. Eliminate the virus depending on the virus type involved (if any problems are encountered, you can use the BSI virus hotline, tel. ++49+0228/9582-444).

8. Check the hard disk again with the virus detection program.

9. Check all other data media (floppy disks, removable hard disks) for virus infections and clean them if required.

10. Try to establish the source of the virus. If the source can be traced to original data media, the manufacturer should be informed. If the source is a files or e-mail, the person who created the file should be informed.

11. Warn all other IT users who have exchanged data with the infected computer.

12. Send a virus report to BSI (report form is contained in the appendix)

Should the virus have deleted or modified any of your data, try to reconstruct those data from the data backups (cf. S 6.32 Regular data backup) and the programs from their backup copies (cf. S 6.21 Backup copy of the software used). Then Step 8 should be repeated once more.

Additional controls:

• Are all affected staff members informed of these rules of conduct?

• Are there expert persons who, in case of need, are able to carry out the aforementioned steps?