ZefrJPG utility for recovering JPG files lost to the Loveletter Worm The archive ZEFRJPG.ZIP contains 3 files: 1. ZEFRJPG.TXT - the help file which you are now reading 2. ZEFRJPG.EXE - a DOS utility to be used in recovering JPGs on FAT partitions. 3. ZEFRJPG32.EXE - A win32 utility for recovering JPGs on NTFS partitions. This program runs only under Win NT 4, Win2000, and Win XP. These programs are freeware and may be distributed and used without charge as long they are distributed in the original archive. What actually happens when the LoveLetter worm strikes Loveletter replaces all JPG files it finds on a system (as well as some other file types) with copies of itself. Initially, virtually all of the JPG files survive in a recoverable condition. This is say, their file data remains present on the disk in unallocated clusters. These clusters may be overwritten by the Windows file system at any time, so that over a period of time the files become unrecoverable. For this reason, any attempt to recover the files should take place as soon as possible after a LoveLetter infection has been identified. The initial step should be to remove all copies of the worm (use an anti- virus scanner and let it delete the worm copies) and reverse the changes the worm has made to the registry. A good tool for fixing the registry and other changes to the system made by the worm can be found at: http://securityresponse.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html After the worm is removed, W95/98/ME systems should be shut down and then rebooted from a Emergency Boot Disk, which contains, along with the DOS system files, copies of ZEFRJPG.EXE and SMARTDRV.EXE. Also, NT/2000/XP systems should be booted from a DOS EBD, if you want to restore JPG files on any FAT partitions on those systems. To restore files on NTFS partitions, it is not necessary to exit Windows. Using ZEFRJPG.EXE 1. Boot to pure DOS. The program will work better, if you load SMARTDRV.EXE. 2. Determine the partition to which you want to save the recovered files. Create a directory to contain the files, ie, D:\RECOVERY. Saving to floppy disk is possible, but not recommended, unless you have no other alternative. 3. Start ZEFRJPG.EXE. 4. At the first prompt, indicate the letter of the partition containing the JPGs to be recovered. 5. At the next prompt, enter the pathname to the destination directory created in step 2. 6. ZeFR will now scan the partition, locate and save recoverable files. 7. The files will saved as Znnnnnnn.JPG, where "nnnnnn" is the start cluster of the file (the location at which it was found) in hexadecimal. You will have to view the contents and do a "save as" to remane them. This process will also correct the file lengths (ZeFR usually overshoots the lengths a little bit). Using ZEFRJPG32.EXE ZEFRJPG32 is a win32 console application (it is not a DOS program, although it looks like one). NOTE: You MUST be logged in as user with administrative rights when running ZEFRJPG32. 1. Extract ZEFRJPG32 from the archive to a directory in the %PATH% or into the root directory of C:. 2. Click on the Start button, then click on Run. In the entry field type "CMD", then click OK. this will take you to a C: prompt in a console window. 3. At the prompt, type "ZEFRJPG32 source [destination] [max size]", where "source" is the letter of the drive to be scanned for recoverable JPG files; "[destination]" is the path name to the directory where the recovered files are to copied (this should be a directory on a partition other than the one being scanned); and "[max size]" is the maximum allowable size for the recovered files in kilobytes (the default is 500K). While ZEFRJPG32 only scans NTFS partitions, there is no restriction on the destination partition - it may a local hard disk partition of any type, a zip disk, a floppy disk or a network drive (but not a CDROM). Sample: ZEFRJPG C: D:\SAVE 1000 This command line will cause ZEFRJPG32 to scan drive C: and save recoverable JPG files to the directory SAVE and drive D: Files will be truncated to 1 megabyte in those cases where the files' end point cannot be identified. Sample: ZEFRJPG32 D: This command will cause ZEFRJPG32 to scan drive D: without saving any recoverable files. This is useful if you want a report of the number of recoverable files before you actually start the recovery. 4. On large partitions, ZEFRJPG32 can appear to just sit there without doing anything for several minutes. Don't worry, it is running. Eventually you will notice the progress bar moving upwards, and on-screen reports of found/recovered files. 5. The files will saved as Znnnnnnn.JPG, where "nnnnnn" is the start cluster of the file (the location at which it was found) in hexadecimal. You will have to view the contents and do a "save as" to remane them. This process will also correct the file lengths (ZEFR usually overshoots the lengths a little bit). Also, note that the original filenames and file locations cannot be recovered. You will have to rename and relocate them manually. The author will provide email support on a time-available basis. Robert Green lasrpro@bellsouth.net May 3, 2002