After
the
attack
Even
though
precautions
are
taken,
the
worst
sometimes
happens:
a
virus
evades
the
lines
of
defense
and
wreaks
havoc.
Even
if
a
hard
disk
does
manage
to
crash,
regardless
of
whether
it
was
virus-induced
or
not,
all
is
not
necessarily
lost.
Some
investment
of
time
may
be
needed,
but
the
data
can
usually
be
recovered.
There
is
no
better
remedy
for
a
crash
of
any
kind
than
a
recent
backup.
Unfortunately,
if
the
virus
was
backed
up
along
with
the
rest
of
the
disk,
restoring
the
backup
contents
may
bring
the
virus
back
to
life.
If
this
happens
and
another
crash
occurs
from
the
restoration,
it
is
time
to
do
either
a
lot
of
detective
work
or
seek
professional
help.
Once
a
crash
has
occurred,
the
first
step
is
to
remain
calm.
The
strong
urge
to
shout
and
destroy
nearby
office
furniture
has
to
be
suppressed.
After
this
is
done,
the
damage
must
be
surveyed.
The
crash
is
probably
a
result
of
the
virus
doing
one
of
the
following:
1)
Formatting
the
disk
2)
Scrambling
the
FAT
(File
Attribute)
table
3)
Erasing
files
4)
Corrupting
the
disk's
boot
sector
the
amount
of
data
that
can
be
recovered
depends
on
the
cause
of
the
crash.
At
this
point
if
you
do
not
know
what
you
are
doing,
it
is
well
worth
the
time
and
money
to
find
someone
who
does.
Better
Late
than
never,
buy
a
good
"vaccine
or
anti-virus"
software.
Remember
pirated
or
borrowed
copies
are
practically
useless.
The
key
defense
is
regular
alerts
and
updates.
Recovering
data
from
a
crashed
disk
is
a
highly
technical
matter.
Recovery
from
a
Disk
Crash
Recovering
information
on
a
formatted
disk
depends
on
the
method
of
formatting.
If
the
disk
was
low-level
formatted,
then
the
contents
of
the
files
and
the
directories
referencing
them
have
been
over-written.
The
only
hope
of
recovery
is
a
backup.
If
the
disk
was
high-level
formatted,
then
the
disk
contents
have
not
been
erased
and
are
recoverable
to
some
degree.
Unformatting
programs
have
been
written
to
reconstruct
the
contents
on
the
disk.
Since
MS-DOS
breaks
up
or
fragments
large
files
and
stores
the
pieces
wherever
there
is
room
on
the
disk,
complete
recovery
is
only
possible
if
the
unformatting
programs
have
a
"picture"
of
the
disk
before
the
crash.
This
picture
is
generally
taken
by
a
utility
accompanying
the
unformatting
program.
If
the
FAT
table
has
been
scrambled,
it
can
be
rebuilt.
Two
of
the
three
disk
utility
programs
listed
below,
Norton
Utilities
and
PC-Tools,
include
editors
that
allow
an
experienced
user
to
piece
together
a
FAT
table.
This
is
not
easy
and
requires
a
large
amount
of
experience
and
a
high
degree
of
proficiency.
The
other
alternative
involves
finding
a
FAT
backup
program
and
making
periodic
backups.
A
number
of
FAT
backup
programs
are
public
domain
and
can
thus
be
obtained
from
a
trusted
friend
or
trusted
computer
bulletin
board.
If
files
were
erased
and
the
FAT
tables
are
still
intact,
then
the
files
may
simply
have
to
be
unerased.
When
a
file
is
erased,
the
first
character
of
its
name
is
usually
changed
to
a
non-printable
character
to
indicate
that
it
is
no
longer
a
valid
directory
entry.
Everything
else
is
left
intact.
Since
the
contents
of
erased
programs
are
over-written
by
newer
programs,
it
is
best
to
unerase
the
files
the
most
recent
files
first.
If
this
is
not
done,
a
previously
erased
program
may
grab
part
of
a
newer
file.
The
last
cause
of
a
disk
crash
is
when
the
boot
sector
is
either
erased
or
formatted.
In
this
case,
the
data
is
still
safe
on
the
disk,
but
the
disk
cannot
be
booted
from.
Another
system
disk
in
a
floppy
drive
can
be
used
to
boot
the
system.
Before
proceeding
any
further,
backup
the
hard
disk
in
case
any
damage
is
done
trying
to
restore
the
disk
to
boot
status.
The
first
thing
to
try
is
running
the
MS-DOS
"SYS.COM"
program.
This
program
will
copy
the
system
files
from
one
disk
to
another.
After
this
is
done,
COMMAND.COM
will
have
to
be
copied
to
the
crashed
disk
using
a
simple
"COPY"
command.
Information
on
this
procedure
is
available
in
the
MS-DOS
manual.
If
this
does
not
work,
Mace+
Utilities
has
a
function
called
"restore
boot
sector"
which
should
be
tried.
If
all
else
fails,
the
disk
should
be
first
backed
up
and
then
low-level
reformatted.
Instructions
for
this
procedure
should
either
come
with
the
computer
or
are
available
from
a
computer
store.
After
this
is
done,
the
MS-DOS
program
"FDISK.COM"
is
run
to
prepare
the
disk
for
high-level
formatting.
This
formatting
is
done
with
the
DOS
"FORMAT.EXE"
program.
The
DOS
manual
should
be
consulted
before
running
any
of
these
MS-DOS
commands
or
programs.
When
everything
is
completed,
the
backup
can
be
restored.
.
Any
improper
attempts
by
an
inexperienced
user
can
result
in
permanent
data
loss.
Commonly
used
terms
1)
Virus:
-
A
self-replicating
program
that
must
attach
itself
in
some
way
to
an
existing
executable
on
the
target
computer
system
in
order
to
propagate.
In
doing
so,
no
overt
user
action
is
required
to
further
the
replication
process.
2)
Trojan
Horse:
-
A
non-replicating
malicious
program
that
misleads
the
user
in
order
to
cause
him/her
to
execute
its
malicious
code.
Although
it
is
malicious
code,
it
is
often
hidden
inside
another
piece
of
(apparently
innocuous)
code
in
order
to
escape
detection.
This
type
of
program
does
not
modify
any
existing
executable
files
on
the
system.
3)
Worm:
-
A
self-replicating
program
that
does
not
attach
itself
to
other
executable
code
in
order
to
propagate.
It
relies
upon
some
weakness
in
a
multi-user
system,
or
requires
some
sort
of
overt
user
action
in
order
to
operate.
The
technical
feasibility
of
worms
on
single
user
computer
systems
is
debatable.
4)
Infection:
- The
act
of
modifying
existing
executable
code
in
order
to
propagate
a
virus.
5)
Masking:
-
The
act
of
preventing
discovery
by
intervening
at
some
point
in
the
scanning
process.
Typically
this
effects
an
indication
of
a
clean
system,
when,
in
fact,
the
environment
under
review
has
been
modified.
|