
                              ZefrJPG

       utility for recovering JPG files lost to the Loveletter Worm


The archive ZEFRJPG.ZIP contains 3 files:

1. ZEFRJPG.TXT - the help file which you are now reading

2. ZEFRJPG.EXE - a DOS utility to be used in recovering JPGs on FAT
   partitions.

3. ZEFRJPG32.EXE - A win32 utility for recovering JPGs on NTFS partitions.
   This program runs only under Win NT 4, Win2000, and Win XP.

These programs are freeware and may be distributed and used without charge as
long they are distributed in the original archive.


        What actually happens when the LoveLetter worm strikes

Loveletter replaces all JPG files it finds on a system (as well as some
other file types) with copies of itself. Initially, virtually all of the
JPG files survive in a recoverable condition. This is say, their file data
remains present on the disk in unallocated clusters.

These clusters may be overwritten by the Windows file system at any time,
so that over a period of time the files become unrecoverable. For this
reason, any attempt to recover the files should take place as soon as
possible after a LoveLetter infection has been identified.

The initial step should be to remove all copies of the worm (use an anti-
virus scanner and let it delete the worm copies) and reverse the changes the
worm has made to the registry. A good tool for fixing the registry and other
changes to the system made by the worm can be found at:

http://securityresponse.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html

After the worm is removed, W95/98/ME systems should be shut down and then
rebooted from a Emergency Boot Disk, which contains, along with the DOS
system files, copies of ZEFRJPG.EXE and SMARTDRV.EXE. Also, NT/2000/XP systems
should be booted from a DOS EBD, if you want to restore JPG files on any
FAT partitions on those systems.

To restore files on NTFS partitions, it is not necessary to exit Windows.


                          Using ZEFRJPG.EXE


1. Boot to pure DOS. The program will work better, if you load
SMARTDRV.EXE.

2. Determine the partition to which you want to save the recovered
files. Create a directory to contain the files, ie, D:\RECOVERY.
Saving to floppy disk is possible, but not recommended, unless you
have no other alternative.

3. Start ZEFRJPG.EXE.

4. At the first prompt, indicate the letter of the partition
containing the JPGs to be recovered.

5. At the next prompt, enter the pathname to the destination directory
created in step 2.

6. ZeFR will now scan the partition, locate and save recoverable
files.

7. The files will saved as Znnnnnnn.JPG, where "nnnnnn" is the start
cluster of the file (the location at which it was found) in hexadecimal.
You will have to view the contents and do a "save as" to remane them.
This process will also correct the file lengths (ZeFR usually
overshoots the lengths a little bit).


                       Using ZEFRJPG32.EXE

ZEFRJPG32 is a win32 console application (it is not a DOS program, although
it looks like one).

NOTE: You MUST be logged in as user with administrative rights when running
ZEFRJPG32. 

1. Extract ZEFRJPG32 from the archive to a directory in the %PATH% or into
the root directory of C:.

2. Click on the Start button, then click on Run. In the entry field type
"CMD", then click OK. this will take you to a C: prompt in a console window.

3. At the prompt, type "ZEFRJPG32 source [destination] [max size]", where
"source" is the letter of the drive to be scanned for recoverable JPG files;
"[destination]" is the path name to the directory where the recovered files
are to copied (this should be a directory on a partition other than the one
being scanned); and "[max size]" is the maximum allowable size for the
recovered files in kilobytes (the default is 500K).

While ZEFRJPG32 only scans NTFS partitions, there is no restriction on the
destination partition - it may a local hard disk partition of any type, a zip disk, a floppy disk or a network drive (but not a CDROM).

Sample: ZEFRJPG C: D:\SAVE 1000

This command line will cause ZEFRJPG32 to scan drive C: and save recoverable
JPG files to the directory SAVE and drive D: Files will be truncated to 1
megabyte in those cases where the files' end point cannot be identified.

Sample: ZEFRJPG32 D:

This command will cause ZEFRJPG32 to scan drive D: without saving any
recoverable files. This is useful if you want a report of the number of
recoverable files before you actually start the recovery. 

4. On large partitions, ZEFRJPG32 can appear to just sit there without
doing anything for several minutes. Don't worry, it is running. Eventually
you will notice the progress bar moving upwards, and on-screen reports of
found/recovered files.

5. The files will saved as Znnnnnnn.JPG, where "nnnnnn" is the start
cluster of the file (the location at which it was found) in hexadecimal.
You will have to view the contents and do a "save as" to remane them.
This process will also correct the file lengths (ZEFR usually
overshoots the lengths a little bit).

Also, note that the original filenames and file locations cannot be
recovered. You will have to rename and relocate them manually.

The author will provide email support on a time-available basis.

Robert Green
lasrpro@bellsouth.net
May 3, 2002
