-----Original Message----- From: Tom Limoncelli [mailto:tal@research.bell-labs.com] Sent: Friday, June 11, 1999 8:22 AM To: Shaun T. Erickson Cc: Garrett Burke; toasters@mathworks.com Subject: Re: the virus
"Shaun T. Erickson" wrote:
This virus is a nasty one. I haven't seen it mentioned
here, but we have
discovered that it connects back to the fileserver the
infected person is
connected to and then scans the shares, deleting every file
of the types
specified, in every share, that the infected person has the
ability to
delete.
Just to re-iterate: It scans for shares and tries to mount them. If successful it looks for files that can be zapped. If you share files everyone:rwx then a lot of data may be affected.
On Fri, 11 Jun 1999, Garrett Burke wrote: Thank god for snapshots.
You can rename a snapshot. If you rename one to "PreVirus" it is pretty easy to write a little script that will find zero-length files that weren't zero-length in the snapshot and email the owner of the file (or do the restore automatically). [ Disclaimer: I haven't done this myself, but I'm told it is possible. ]
Its not just theoretical. NetApp got hit and we did exactly that.
--tal