RE: Gadi Busted In Massive Conspiracy

["Randy Abrams" <abrams () eset com>]

> > -----Original Message-----
> > From: funsec-bounces () linuxbox org 
> > [mailto:funsec-bounces () linuxbox org]On
> > Behalf Of Randy Abrams
> > Sent: Thursday, February 02, 2006 8:38 PM
> >
> > I think that the infection rate of this worm is not high enough to 
> > skew call volumes.
>
> A couple of questions re: recovery, best practice:

One and only one best recovery practice here... Backup regularly. 

> Can the files deleted by the virus be recovered via a prgram 
> like Norton's Protected Bin (on the assumption that they're 
> running Norton but the virus subscriptions expired long ago, 
> like most users whom I know)?

I don't believe that Norton's Protected bin will help. I'm not an virus
analyst so I haven't looked, but my understanding is that the files are
overwritten, not deleted. Even If they were deleted it would depend on how
they were deleted to assess if protected bin would help.


> Should the user be advised to shut down the computer 
> immediately, so that a file "undelete" recovery program can 
> be run, giving it the best chance of success?

Yes, shut down immediately. The more you use it the more likely that you
will overwrite data you wanted to recover. You may have copied of deleted
files in system restore though.

> Any publicly traded software companies that sell file recovery software?
> I'm guessing their profits might up this quarter. <g>
<g> don't run out buying their stock just yet. Most people aren't going to
pay for the programs they'll need. I wonder if Steve Gibson is working on
such a program. I believe he came out with something for recovering from
CIH.

Cheers,

Randy


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.