After the attack

Even though precautions are taken, the worst sometimes happens: a virus evades the lines of defense and wreaks havoc. Even if a hard disk does manage to crash, regardless of whether it was virus-induced or not, all is not necessarily lost. Some investment of time may be needed, but the data can usually be recovered.

There is no better remedy for a crash of any kind than a recent backup. Unfortunately, if the virus was backed up along with the rest of the disk, restoring the backup contents may bring the virus back to life. If this happens and another crash occurs from the restoration, it is time to do either a lot of detective work or seek professional help.

Once a crash has occurred, the first step is to remain calm. The strong urge to shout and destroy nearby office furniture has to be suppressed. After this is done, the damage must be surveyed.
The crash is probably a result of the virus doing one of the following:

1)   Formatting the disk

2)   Scrambling the FAT (File Attribute) table

3)   Erasing files

4)   Corrupting the disk's boot sector the amount of data that can be recovered depends on the cause of the crash.

At this point if you do not know what you are doing, it is well worth the time and money to find someone who does. Better Late than never, buy a good "vaccine or anti-virus" software. Remember pirated or borrowed copies are practically useless. The key defense is regular alerts and updates. Recovering data from a crashed disk is a highly technical matter.

Recovery from a Disk Crash 

Recovering information on a formatted disk depends on the method of formatting. If the disk was low-level formatted, then the contents of the files and the directories referencing them have been over-written. The only hope of recovery is a backup. If the disk was high-level formatted, then the disk contents have not been erased and are recoverable to some degree. 

Unformatting programs have been written to reconstruct the contents on the disk. Since MS-DOS breaks up or fragments large files and stores the pieces wherever there is room on the disk, complete recovery is only possible if the unformatting programs have a "picture" of the disk before the crash. This picture is generally taken by a utility accompanying the unformatting program. 

If the FAT table has been scrambled, it can be rebuilt. Two of the three disk utility programs listed below, Norton Utilities and PC-Tools, include editors that allow an experienced user to piece together a FAT table. This is not easy and requires a large amount of experience and a high degree of proficiency. The other alternative involves finding a FAT backup program and making periodic backups. 

A number of FAT backup programs are public domain and can thus be obtained from a trusted friend or trusted computer bulletin board. If files were erased and the FAT tables are still intact, then the files may simply have to be unerased. When a file is erased, the first character of its name is usually changed to a non-printable character to indicate that it is no longer a valid directory entry. Everything else is left intact. Since the contents of erased programs are over-written by newer programs, it is best to unerase the files the most recent files first. If this is not done, a previously erased program may grab part of a newer file. The last cause of a disk crash is when the boot sector is either erased or formatted. In this case, the data is still safe on the disk, but the disk cannot be booted from. Another system disk in a floppy drive can be used to boot the system. 

Before proceeding any further, backup the hard disk in case any damage is done trying to restore the disk to boot status. The first thing to try is running the MS-DOS "SYS.COM" program. This program will copy the system files from one disk to another. After this is done, COMMAND.COM will have to be copied to the crashed disk using a simple "COPY" command. Information on this procedure is available in the MS-DOS manual. If this does not work, Mace+ Utilities has a function called "restore boot sector" which should be tried. 

If all else fails, the disk should be first backed up and then low-level reformatted. Instructions for this procedure should either come with the computer or are available from a computer store. After this is done, the MS-DOS program "FDISK.COM" is run to prepare the disk for high-level formatting. This formatting is done with the DOS "FORMAT.EXE" program. The DOS manual should be consulted before running any of these MS-DOS commands or programs. When everything is completed, the backup can be restored.

. Any improper attempts by an inexperienced user can result in permanent data loss.

Commonly used terms

1)    Virus: - A self-replicating program that must attach itself in some way to an existing executable on the target computer system in order to propagate. In doing so, no overt user action is required to further the replication process.

2)    Trojan Horse: - A non-replicating malicious program that misleads the user in order to cause him/her to execute its malicious code. Although it is malicious code, it is often hidden inside another piece of (apparently innocuous) code in order to escape detection. This type of program does not modify any existing executable files on the system.

3)    Worm: - A self-replicating program that does not attach itself to other executable code in order to propagate. It relies upon some weakness in a multi-user system, or requires some sort of overt user action in order to operate. The technical feasibility of worms on single user computer systems is debatable.

4)    Infection: - The act of modifying existing executable code in order to propagate a virus.

5)    Masking: - The act of preventing discovery by intervening at some point in the scanning process. Typically this effects an indication of a clean system, when, in fact, the environment under review has been modified.

Copyright © 2001 Selfonline-Education. All rights reserved.