Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: coherent!dplatt@ames.arc.nasa.gov (Dave Platt) Newsgroups: comp.virus Subject: Re: Is this a MAC Virus attack? (Mac) Message-ID: <0021.9011141856.AA23262@ubu.cert.sei.cmu.edu> Date: 9 Nov 90 19:37:35 GMT Sender: Virus Discussion List Lines: 77 Approved: krvw@sei.cmu.edu > The machine: > MAC SE/30; 4MB & 80 MB Apple drive running 6.04; MAChine purchased > in spring of 1989; NEVER EVER BACKED UP!!!!! and holding the > entire financial and planning records of a local dept. Clearly, the excessive concentration of carelessness in the department caused Bad Vibes to condense on the disk drive, etching away the magnetic oxide and corrupting the directory structures. ;-} > Only clue was that there were at least 4 > different versions of the system on the disk; probably the result of > poor application install practices .... <> > Question: > Does this sound like a virus, or "a random photon from the radio > galaxy"? - If it's a virus, which one? any other thoughts? Did I do > things in the right order? Was there a magic bit to flip? It sounds as if machine errors or crashes, at various times in the past 18 months, had done some low-level damage to the disk directory structures. The errors became more and more severe as time went by, due to the subsequent updating of the disk data structures. Eventually, a high-level directory entry became corrupted, and the files on the disk became inaccessible. It's known that the WDEF virus is capable of causing crashes which corrupt disk data structures... I've encountered disks which were rendered entirely unmountable as a result of WDEF-induced crashes. If the Disinfectant INIT had only recently been installed on the SE/30, it's possible that previous infections might have caused some damage to the directories, and that only now has the damage propagated enough to cause visible symptoms. It's always a good idea to perform some preventing maintenance and checking of your filesystems... run Disk First Aid periodically, run the surface-test in the SCSI HD Setup, use Disk Doctor, etc. If problems show up, it's usually a good idea to back up the disk, reinitialize, and restore the files. Based on what you say about the lack of backups, I suspect that this sort of routine check hasn't been performed on that machine. > Comment: > I could claim that the user deserved this - after all it is a lot > easier to recover from a disk/tape then to look at all those files > at the block level and determine if they should be saved; and we > push at all levels to get these people to backup - but you know, once > the data is dusted, some one has got to get it back (on the grounds > that a few days of my work is better that 1000's of hours of theirs > from an institutional point of view) Grumble. You ought to bill them for your time, if your organizational charter will permit doing so. You should also let them know that you cannot guarantee complete retrieval of their data, _or_ the correctness of any of it. Recommend that they manually inspect _every_ file that you restore, for correctness from a financial point of view. Put this in writing, with copies to your supervisor, to the head of the department that owns the Mac, and to the head-of-department's superior. You might also want to talk with your University's finance department, and ask them what the requirements are for departmental financial planners. People who have financial authority are often required (by audit requirements, and sometimes by law) to exercise due diligence in maintaining the integrity of their data. The failure of this department to maintain backups could put them at risk of disciplinary action. > Aside: > They are now buying a tape drive and I suspect will be doing > backups. .. now that the horse has escaped from the barn and has frozen to death on the tundra.