Re: WAY OT--Crisis...virus! Need help

David Luyer (luyer@ucs.uwa.edu.au)
Wed, 28 Apr 1999 12:15:45 +0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ville Herva: "Re: 2.0.3x: select returns dubious tv.tv_sec?"
Previous message: Guest section DW: "Re: WAY OT--Crisis...virus! Need help"
Maybe in reply to: Nicholas Henke: "WAY OT--Crisis...virus! Need help"

> OTOH I heard about cases when people used
> 'gpart' and got back enough of information to make further recovery at
> least reasonably easy.

It worked for me to recover all but the first partition on CIH-damaged
computers, once I used it on a drive which was unaffected and saw what
results it returned on that drive compared to what the actual partition
table was. However it gave partly incorrect answers:

- the numbers it gives are off by one, it starts at 0 and fdisk
starts at one. add one.
- it doesn't properly recognize extended Win95 partitions. if
you notice partition offset is about 60(?) blocks higher than it
should be when worked out by hand, that seems to indicate an
extended partition. create a type 5 extended partition and
the relevant partition type inside it.
- mount and dmesg are your friends, use then once you have a
'reasonable guess'.

> Going back to "Chernobyl virus" - I was told that it destroys
> FAT tables, backup FAT tables, partition tables and after that
> attempts to overwrite BIOS.

I've heard it does all kinds of things. Actually fixing affected
machines for friends/family tells me it only overwrites about the
first 1Mb of the first drive in the system, leaving any extra
partitions on that drive and any additional drives fine. It also
will destroy the BIOS flash chip in most cases. The stories
of "we lost everything" mean that the people were too stupid and
believed the anti-virus companies who told them it was unrecoverable,
and as a result lost masses of otherwise recoverable data. Wonder
if anyone will sue the anti-virus companies for giving out such
harmful false information :-) I have submitted a feedback form on
each anti-virus site I've come across pointing out that they are
doing harm by spreading such misinformation, but they probably
won't change, since making the damage out as worse than it really
is is how they can sell more copies of their products. Loosing
C: isn't very important for most people since it is only Windows
and programs, and rarely has real data on it.

David.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ville Herva: "Re: 2.0.3x: select returns dubious tv.tv_sec?"
Previous message: Guest section DW: "Re: WAY OT--Crisis...virus! Need help"
Maybe in reply to: Nicholas Henke: "WAY OT--Crisis...virus! Need help"