Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13

Chapter 6: Mail Worms

Klez.H Worm

Update

Introduction

Quick Diagnostic and Disinfection

Email Properties and the Method of Distribution

Damage

Startup and Propogation

Local and Network Drive copying

Necessary Measures  -- Please read !!!

Symantec Removal Tool

Acknowledgments

References

Supplement 1: Attachment

Update

[May 12, 2002] Almost a month after it started spreading, the Klez.H worm slowing down, but managed to entered the "evil troika" list of most common PC viruses along with Magistr and Sircam. Moreover, the worm's technique of forging the address of the sender on each infected e-mail message is creating a stream of useless warnings from gateway antivirus software, informing the wrong people that they are infected.  Nothing can be done with it: this is a weakness of the SMTP protocol that does not require authentication.

The false addresses are slowing disinfections. The worm definitely data mines files for e-mail addresses. If Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.

Recipients of the virus-laden e-mails, not understanding that the "From" information is virtually always phony -- or even that they have received a virus -- have been clogging networks with angry and confused e-mails that are causing a great deal of cyber-havoc. Some Internet users have recently received an e-mail message from a dead friend. Others have been subscribed to obscure mailing lists (if Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.). Some users reportedly have lost their Internet access after being accused of spamming, and still others have received a letter that look like e-mailed pornography from a person that cannot believe did so. And actually he never did. Klez e-mails' subject lines are randomly chosen from a pre-programmed list of about 120 possibilities, including "Let's be friends," "Japanese lass' sexy pictures," "Meeting Notice," "Hi Honey" and "SOS."

Klez also sends fake "returned" or "undeliverable" e-mails, advising the supposed sender that their original, refused e-mail is contained in the attachment. Clicking on the attachment triggers the virus.

In many cases, antivirus software protecting a company's e-mail gateways is sending out a response to each infected e-mail inadvertently sent out by a victim -- but that warning is going to the wrong person. So, in effect, you're getting twice the fun you would normally get.

As of  May 12, 2002 there's no indication that the worm is dying down. It looks like it might repeat Magistr feat of longevity  and will stay active for a prolong period of time. Currently 5-10 messages a day is detected on the e-mail gateway.

The virus can launch automatically when users click to preview or read e-mails bearing Klez on systems that have not been patched for a year-old vulnerability in Internet Explorer (if they are viewing for example their Hotmail, Yahoo or other WEB-mail account), Outlook and Outlook Express. Klez only affects PCs running Microsoft's Windows operating system.

Please note that the attachment that contains the worm has the size from 100K to 150K.

Introduction

The worm exists in several modifications. The version diagnosed as Klez.H by Symantec and as Klez.G by Trend Micro was discovered April 18, 2002 around noon and as of 3:24 04/18/2002 we have at least two infected users.  Both variants of Klez, mentioned above are modified versions of Klez.E.

The Klez.h variant, infects PCs whose users open the attachment to an infected e-mail. Confusing matters, the e-mail will have a random "from" address, selected from various sources on the original victim's hard drive. And it pairs this bogus sender's address with one of more than 120 different subject lines.

The worm is capable of spreading by email and network shares. In Outlook the worm uses an Internet Explorer security breach (IFRAME vulnerability) to start automatically when an infected message is viewed. The virus to be capable of infecting EXE files on all available computer disks. It uses a companion type of infection: when infecting an EXE file, the worm overwrites it and creates a backup file with the same name as the infected file, but with a random extension with hidden, system and read-only attributes. When the infected file is run, the worm extracts the original program from a backup file with its original name plus 'MP8' and runs it. After the program terminates, the worm deletes it.

When a user opens the attachment, the virus starts up its own e-mail engine and mass mails itself to e-mail addresses found in various files on the PC, using a source address culled from those addresses. Klez.h can also send out a random file from the PC as an attachment, along with the e-mail that carries the worm, potentially passing confidential information.  In some instances, the worm also drops one of several other viruses, including the destructive CIH,

It also tries to remove any active antivirus software from the system.

As of April 18. 2002 Trend Micro information is limited to the older variant: WORM_KLEZ.E - Description and solution but nevertheless our e-mail gateway software (Scanmail) does has a limited capability to catch the new variant. I hope that it will be able to catch all of them early next week.

If the user has admin right to the PC that the worm disables the current version of F-secure, so F-secure is useless against any new variants that are not alreay in the database.

As a temporarily measure, effective immediately, I blocked all inbound and outbound .EXE attachments until Monday April 22, to keep the number of infections under control until AV vendors debug the recognition of those new variants.

Renaming of an .EXE attachment (or zipping it) still works and should be used if you need to send one. Please communicate this to users.

In case the user does not have admin rights F-secure may survive, but cannot be considered as a reliable test: even if F-secure does not find any infected executables the PC still can be infected because signature files can be outdated.  In this case sysadmin needs need manually update F-secure files using Fsupdate.exe from the F-secure server in Europe: the server in the USA can be and in case of major virus infection usually is outdated. Just download it into F-secure directory and run it. 

Email Properties and the Method of Distribution

• Subject of email: Random.  The variant that I saw has the subject line "Yahoo! Inc. All Rights Reserved.".  It looks like it was extracted from one of users files (may be from IE or Netscape cache). 
• From e-mail address:  Depending on the random counter, the worm inserts either a real e-mail address, or  randomly-chosen from email addresses that the worm finds on the infected computer. Please note that the sender address can be (and usually is) a fake one.
• Message body: Random HTML, might be empty. In Outlook the worm uses an Internet Explorer security breach (IFRAME vulnerability) to start automatically when an infected message is viewed.
• Name of attachment: Random name of one of user files found by the worm on the disk(s). The worm uses extensions .txt .htm .doc .jpg .bmp .xls .cpp .html .mpg .mpeg 
  The sample that I got from the infected PC had the name cancer..exe (note two dots in the name -- probably a bug in the creation of double extension).

Method of distribution is a typical for worms, but looks like better debugged. This worm searches the Windows address book, the ICQ database, and local files for email addresses (only the last one usually applied for the corporate environment -- Internet cache usually contain a lot of e-mail addresses from an internal WEB server).  The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.  How successful it was in Lotus Notes environment is unclear.

The size of the worm is approximately 90K.  The sample that I got has double dots but that might be an error in creation of double extension (name is definitely random):

    04/17/2002 09:51p 88,899 cancer..exe

If you try to view the attachment properties (which should became a standard practice for everybody starting from today; if the properties show this is an Executable file format never ever click) you will see that the worm' executable has all the section with Version Information stripped (see example of real windows executable header below) has 4 sections is compiled for i386 architecture, timestamp 0x3CB78EB8 and stripped Relocs, line nums and local syms.

Win32 Portable Executable File Format

File Header (Main Menu)

Machine 0x014C (i386)

Number of Sections 0x0004

TimeDataStamp 0x3CB78EB8

PointerToSymbolTable 0x00000000

NumberOfSymbols 0x00000000

SizeOfOptionalHeader 0x00E0

Characteristics 0x010F

RELOCS_STRIPPED

EXECUTABLE_IMAGE

LINE_NUMS_STRIPPED

LOCAL_SYMS_STRIPPED

32BIT_MACHINE

The full header for the sample of the worm that I got is reproduced in the Supplement 1.  Please compare it with a regular Windows 2000 executable:

Win32 Portable Executable File Format

Version Information	File Header (Main Menu)
ProductName Microsoft(R) Windows (R) 2000 Operating System CompanyName Microsoft Corporation FileDescription Welcome to Windows NT InternalName Welcome FileVersion 5.00.2134.1 OriginalFilename WELCOME.EXE ProductVersion 5.00.2134.1 LegalCopyright Copyright (C) Microsoft Corp. 1998-1999	Machine 0x014C (i386) Number of Sections 0x0003 TimeDataStamp 0x37ECAF3C PointerToSymbolTable 0x00000000 NumberOfSymbols 0x00000000 SizeOfOptionalHeader 0x00E0 Characteristics 0x030F RELOCS_STRIPPED EXECUTABLE_IMAGE LINE_NUMS_STRIPPED LOCAL_SYMS_STRIPPED 32BIT_MACHIN

Damage

Most manages is connected with confusion created by using fake "from" address.  Recipients of the virus-laden e-mails, usially do not understand that the "From" address is virtually always phony  (and often do not suspect that they have received a virus). Many naive users are clogging mailboxes with angry and confused e-mails that are causing a great deal of cyber-havoc.

Some Internet users have recently received an e-mail message from a dead friend. Others have been subscribed to obscure mailing lists (if Klez happens to send an e-mail "from" a user to an e-mail list's automatic subscribe address, the list software assumes the e-mail is a valid subscription request and begins sending mail to the user.). Some users reportedly have lost their Internet access after being accused of spamming, and still others have received a letter that look like e-mailed pornography from a person that cannot believe did so. And actually he never did.

Klez e-mails' subject lines are randomly chosen from a pre-programmed list of about 120 possibilities, including "Let's be friends," "Japanese lass' sexy pictures," "Meeting Notice," "Hi Honey" and "SOS."

Payload: This worm infects executables by creating a hidden copy of the original host.exe file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

Large scale e-mailing: This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.  Mail can also contain two attachments: one of the text document. Sometimes it contains the description of the phone disinfection tool for Klez.E.

Startup and Propogation

When this worm is executed, it does the following:

It copies itself to \%System%\Wink<random characters>.exe

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the value

    Wink<random characters> %System%\Wink<random characters>.exe

to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active AV-related processes. The virus searches for active antivirus processes applications (anti-viruses, see the list below) and forces them to unload using a Windows "TerminateProcess" command. The worm also removes the startup registry keys used by antivirus products and deletes checksum database files including related to F-prot and Kasperski antivirus (F-secure is not an independent AV scanner: it uses combination of two AV engines F-prot and Kaspersky). 

Local and Network Drive copying

The worm copies itself to all local, mapped, and network drives as:

• A random file name that  usually has a double extension. For example, Filename.txt.exe
• A .rar archive that has a double extension. For example, Filename.txt.rar

The worm enumerates network resources and copies itself to remote drives twice - once as an executable file with single or double extension, and second time as a RAR archive that can have single or double extension as well. The RAR archive contains the worm's executable file with one of the following names:

 setup
 install
 demo
 snoopy
 picacu
 kitty
 play
 rock
 

The first extension of the RAR archive or of the worm's executable can be:

 .txt
 .htm
 .html
 .wab
 .doc
 .xls
 .jpg
 .cpp
 .c
 .pas
 .mpg
 .mpeg
 .bak
 .mp3
 

The second or the only extension of the worm's executable file can be:

 .exe
 .scr
 .pif
 .bat
 

The dropped RAR archive and worm's executable file name is either random or belongs to a file, that a worm found on a host system. So it can be for example QQ.PAS.EXE , KERNEL.MP3.PIF , DOCUMENT.SCR and so on.

Necessary Measures

1. The worm tries to exploit a known  Internet Explorer hole if the user access Hotmail, Yahoo mail or other WEB-mail provider. You should recommend users to update Windows and Internet Explorer. Users that have admin rights can do this themselves by going to Start menu/Windows Update.

2. Network shares should be disabled or password protected.

3. Desktop AV software (F-secure) should have virus definitions dated May 10 or later.

Symantec Removal Tool

You can also use free tool from Symantec to check for the worm W32.Klez Removal Tool . Here is a relevant info:

W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most case, the tool will be able to remove the infection.

What the tool does:

The W32.Klez Removal Tool does the following:

• It terminates all processes that are associated with W32.Klez@mm or W32.Elkern.
• It deletes the W32.Klez@mm services.
• It removes the registry entries that were created by W32.Klez@mm.
• It detects all types of W32.Klez@mm and W32.ElKern infections, and repairs files that can be repaired.

NOTES:

• A file that is infected with W32.Klez.E@mm or W32.Klez.H@mm includes a link to the encrypted host file. If the encrypted file does not exist at that link, the tool deletes the infected file because it is not repairable, and the encrypted file is not restored.
• The W32.ElKern repair removes the viral code from the file. It does not ensure that a file that is repaired from W32.ElKern will run because this virus often corrupts files.
   

Command-line switches that are available for this tool
 

Switch	Description
/HELP, /H, /?	Displays the help message.
/NOFIXREG	Disables registry repair (the use of this switch is not recommended).
/SILENT, /S	Enables silent mode.
/LOG=<path name>	Creates a log file where <path name> is the location in which to store the tool's output. By default, this switch creates the log file FixKlez.log in the same folder from which the removal tool was executed.
/MAPPED	Scans mapped network drives (the use of this switch is not recommended--see notes).
/START	Forces the tool to start scanning immediately.
/EXCLUDE=<path>	Excludes the specified <path> from scanning (the use of this switch is not recommended).

NOTE: The use of the /MAPPED switch does not ensure the complete removal of the virus on the remote computer because:

• The scanning of mapped drives scans only the folders that are mapped. This might not include all folders on the remote computer, and this can to lead to missed detections.
• If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer is using this file.
• The repair of a file that is infected with W32.Klez@mm may fail if this file is located on the mapped drive. This is because the path to the original encrypted host file is a local path.

For these reasons, you should run the tool on every computer.

To obtain and run the tool

NOTE: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
 

1. Download the FixKlez.com file from http://securityresponse.symantec.com/avcenter/FixKlez.com.
2. Save the file to a convenient location, such as your download folder or the Windows desktop (or, if possible, removable media that is known to be uninfected).
3. To check the authenticity of the digital signature, refer to the section The digital signature.
4. Close all programs.
5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
6. If you are running Windows Me or Windows XP, then disable System Restore. Refer to the section System Restore option in Windows Me/XP for additional details.

NOTE: If you are running Windows Me/XP, Symantec strongly recommends that you do not skip this step.

7. Restart the computer in Safe mode (all versions of Windows except Windows NT). For instructions, read the document for your version of Windows.

• How to start Windows XP in Safe mode.
• How to start Windows 2000 in Safe mode.
• How to restart Windows 9x or Windows Me in Safe mode.

8. Double-click the FixKlez.com file to start the removal tool.
9. Click Start to begin the process, and allow the tool to run.
10. Restart the computer normally.
11. To reinstall NAV, follow the instructions in the document How to restore Norton AntiVirus after removing a virus.
12. Run LiveUpdate to make sure that you are using the most current virus definitions, and scan the computer again. If NAV detects any infected files and cannot repair them, then choose to delete the files.
13. If you are running Windows Me/XP, re-enable System Restore.

NOTE:The removal procedure might be unsuccessful if Windows Me/XP System Restore was not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail. If W32.Klez.gen@mm was activated before you ran the removal tool, in most cases you will not be able to start Norton AntiVirus (NAV). The instructions for running NAV from the command line and reinstalling NAV are in the removal section of the W32.Klez.E@mm writeup.

When the tool has finished running, you will see a message that indicates whether the computer was infected by variants of W32.Klez@mm and/or variants of W32.ElKern. If an infection was removed, the program displays the following results:

• The total number of the scanned files
• The number of deleted files
• The number of repaired files
• The number of viral processes terminated
• The number of viral services deleted
• The number of registry entries fixed

The digital signature
FixKlez.com is digitally signed. Symantec recommends that you use only copies of FixKlez.com that were downloaded directly from the Symantec Security Response download site. To verify the authenticity of the digital signature, follow these steps:

1. Go to http://www.wmsoftware.com/free.htm.
2. Download and save the Chktrust.exe file into the same folder in which you saved FixKlez.com (for example, the C:\Downloads folder).
3. Depending on your version of Windows, do one of the following:

• Click Start, point to Programs, and click MS-DOS Prompt.
• Click Start, point to Programs, click Accessories, and then click Command Prompt.
• Change to the folder that contains FixKlez.com and Chktrust.exe, and then type
  
  chktrust -i FixKlez.com
  
  For example, if the file exists in the C:\Downloads folder, enter the following commands:
  
  cd\
  cd downloads
  chktrust -i FixKlez.com
  
  Press Enter after you type each command. If the digital signature is valid, you will see the following:
  
  Do you want to install and run "W32.Klez Fix Tool" signed on 5/16/2002 2:26 AM and distributed by Symantec Corporation.
  
  NOTES:
• The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
• If you are using Daylight Saving Time, the time that appears will be exactly one hour earlier.
• If this dialog box does not appear, do not use your copy of FixKlez.com. It is not from Symantec.
   

4. Click Yes to close the dialog box.
5. Type exit and then press Enter to close the MS-DOS session.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by other programs. As a result, there is the possibility that you could accidentally restore an infected file, or that online scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:

• How to disable or enable Windows Me System Restore
• How to disable or enable Windows XP System Restore

For additional information and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

How to run the tool from a floppy disk

1. Insert the floppy disk that contains the FixKlez.com file into the floppy disk drive.
2. Click Start, and then click Run.
3. Type the following, and then click OK:

a:\fixklez.com

NOTES:

• There are no spaces in the command a:\fixklez.com
• If you are running Windows Me and System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled, or exit the removal tool.
   

4. Click Start to begin the process, and then allow the tool to run.
5. If you are running Windows Me, then re-enable System Restore.

NOTE: If you are using Norton AntiVirus (NAV) 2000/2001/2002, in most cases, after you remove the virus you must uninstall and reinstall NAV. For instructions on how to do this, read the document How to restore Norton AntiVirus after removing W32.Goner.A@mm or W32.Klez.gen@mm.

Acknowledgments

I would like to thank Michael Cloutier who helped me to enhance e-mail gateway security and was the first to found the description of the worm on the Symantec site.

References

• F-Secure Computer Virus Information Pages Klez
• Security Update, March 29, 2001
• Security Update, March 29, 2001
• Kaspersky™ AntiVirus (AVP) Breaking Anti-virus News
  • Virus Encyclopedia/Klez
• Symantec Security Response - W32.Klez.H@mm

Supplement 1: Attachment

Full header listing:

Resources (Main Menu)

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019