ROEBUCK@admin1.usask.ca (Terry (TR) Roebuck; 966-4841) (11/05/90)
The machine:
MAC SE/30; 4MB & 80 MB Apple drive running 6.04; MAChine purchased
in spring of 1989; NEVER EVER BACKED UP!!!!! and holding the
entire financial and planning records of a local dept.
Symptoms:
Disinfectant 2.3 INIT goes off, WDEF on newly inserted diskette; user
runs Disinfectant (theoretically correctly); everything seems fine ...
The next morning:
First time being powered on after the Disinfectant run; the desktop
comes up as being empty (no icons to be displayed; the message bar
on the desktop window still reports 41,xxx KB used, 38,xxx KB available
and indicates a reasonable number of files (~370) using the 41MB)
First Aid:
Find File can not find any files.
Apple FILE FIRST AID can not find anything to fix (I think this only
looks at the desktop file).
NORTON's MAC Utilities says that the directory has problems; says that
it can fix the files affected ands rebuild; claims to have done so, BUT
no files are seen (same state as before - yes I rebuilt the desktop
after the recover attempt).
The final Solution:
SUM Utilities are required to get every file, and lots of 'stuff' that
are/were files (got to get all 79.9MB back). User is still sifting
through 'hundreds' of "??MS WORD Doucument No. xx"; some of which have
spreadsheets and databases stuck in the middle (fragmentation?). Disk
seems fine (physically). Only clue was that there were at least 4
different versions of the system on the disk; probably the result of
poor application install practices ....
Question:
Does this sound like a virus, or "a random photon from the radio
galaxy"? - If it's a virus, which one? any other thoughts? Did I do
things in the right order? Was there a magic bit to flip?
Comment:
I could claim that the user deserved this - after all it is a lot
easier to recover from a disk/tape then to look at all those files
at the block level and determine if they should be saved; and we
push at all levels to get these people to backup - but you know, once
the data is dusted, some one has got to get it back (on the grounds
that a few days of my work is better that 1000's of hours of theirs
from an institutional point of view)
Aside:
They are now buying a tape drive and I suspect will be doing backups.
===============================================================================
Terry (TR) Roebuck University of Saskatchewan
Computing Services Saskatoon, Saskatchewan, Canada
"roebuck@Sask.Usask.CA" (306) 966 - 4841
===============================================================================dplatt@ames.arc.nasa.gov (Dave Platt) (11/10/90)
> The machine: > MAC SE/30; 4MB & 80 MB Apple drive running 6.04; MAChine purchased > in spring of 1989; NEVER EVER BACKED UP!!!!! and holding the > entire financial and planning records of a local dept. Clearly, the excessive concentration of carelessness in the department caused Bad Vibes to condense on the disk drive, etching away the magnetic oxide and corrupting the directory structures. ;-} > Only clue was that there were at least 4 > different versions of the system on the disk; probably the result of > poor application install practices .... <<Moan>> > Question: > Does this sound like a virus, or "a random photon from the radio > galaxy"? - If it's a virus, which one? any other thoughts? Did I do > things in the right order? Was there a magic bit to flip? It sounds as if machine errors or crashes, at various times in the past 18 months, had done some low-level damage to the disk directory structures. The errors became more and more severe as time went by, due to the subsequent updating of the disk data structures. Eventually, a high-level directory entry became corrupted, and the files on the disk became inaccessible. It's known that the WDEF virus is capable of causing crashes which corrupt disk data structures... I've encountered disks which were rendered entirely unmountable as a result of WDEF-induced crashes. If the Disinfectant INIT had only recently been installed on the SE/30, it's possible that previous infections might have caused some damage to the directories, and that only now has the damage propagated enough to cause visible symptoms. It's always a good idea to perform some preventing maintenance and checking of your filesystems... run Disk First Aid periodically, run the surface-test in the SCSI HD Setup, use Disk Doctor, etc. If problems show up, it's usually a good idea to back up the disk, reinitialize, and restore the files. Based on what you say about the lack of backups, I suspect that this sort of routine check hasn't been performed on that machine. > Comment: > I could claim that the user deserved this - after all it is a lot > easier to recover from a disk/tape then to look at all those files > at the block level and determine if they should be saved; and we > push at all levels to get these people to backup - but you know, once > the data is dusted, some one has got to get it back (on the grounds > that a few days of my work is better that 1000's of hours of theirs > from an institutional point of view) Grumble. You ought to bill them for your time, if your organizational charter will permit doing so. You should also let them know that you cannot guarantee complete retrieval of their data, _or_ the correctness of any of it. Recommend that they manually inspect _every_ file that you restore, for correctness from a financial point of view. Put this in writing, with copies to your supervisor, to the head of the department that owns the Mac, and to the head-of-department's superior. You might also want to talk with your University's finance department, and ask them what the requirements are for departmental financial planners. People who have financial authority are often required (by audit requirements, and sometimes by law) to exercise due diligence in maintaining the integrity of their data. The failure of this department to maintain backups could put them at risk of disciplinary action. > Aside: > They are now buying a tape drive and I suspect will be doing > backups. .. now that the horse has escaped from the barn and has frozen to death on the tundra.
SUEHAY@BROWNVM.BITNET (Sue Hay (tm)) (11/16/90)
David Platt posted to the VIRUS-L Digest: >Date: 09 Nov 90 19:37:35 +0000 >From: coherent!dplatt@ames.arc.nasa.gov (Dave Platt) >... >It's known that the WDEF virus is capable of causing crashes which >corrupt disk data structures... I've encountered disks which were >rendered entirely unmountable as a result of WDEF-induced crashes. If >the Disinfectant INIT had only recently been installed on the SE/30, >it's possible that previous infections might have caused some damage >to the directories, and that only now has the damage propagated enough >to cause visible symptoms. I asked John Norstad, author of Disinfectant, to confirm or refute this, and here is his reply: >Yes, it's possible, but it doesn't seem to happen very often. I'm posting his answer because I thought that people might be interested in seeing it confirmed by him. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Susan E. Hay * * User Services Specialist/Apple Support Coordinator * * * * Computing & Information Services phone: 401-863-7302 * * Brown University internet: suehay@brownvm.brown.edu * * Box 1885, 115 Waterman Street bitnet: suehay@brownvm * * Providence, RI 02912 applelink: suehay * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *