Windows Me recovery may restore viruses

Microsoft Corp. acknowledges that the System Restore facility in Windows Millennium Edition (Windows Me) may put back a virus or worm that a user has previously eliminated.

But it is the user’s responsibility to check frequently for infection from whatever source, says technical marketing group manager Terry Allen.

Me’s System Restore facility periodically saves the state of system files in a PC, and the user may explicitly create such a snapshot when there is a risk of the system being unpredictably affected – for example, before installing a new application. If the install creates instabilities, the system can be restored to the state it was in before the damaging step.

Unfortunately, if a virus or worm is in a system file when a restore point is recorded, the infected file will be put in the backup folder, called _restore. If the system subsequently has to be restored, re-infection may occur, says Allen.

“Microsoft always advises users to adopt responsible practices to maintain the security of their data,” he says in an email. “For home users, this means ensuring that you have good anti-virus software that is activated each time you switch on and will check attachments and Web files as they are opened or downloaded.” Infection is “easily preventable if users remain vigilant”, he says.

Windows Me backup files end with .cpy. Not all anti-virus products are set by default to check *.cpy files – in one case encountered by Computerworld, Trend Micro’s PC-cillin, working with its default settings, scanned the *.cpy files and found a virus. Symantec’s Norton AntiVirus had failed to check these files in a previous scan – though it can be set to do so. The *.cpy files in the _restore folder are “protected”, says Allen, and cannot be directly changed by the user – or deleted, repaired or quarantined by an anti-virus product. They do not appear on My Computer or Windows Explorer trees, even when the system is set to show hidden files, and are not shown up by Windows Me’s Search function (the equivalent of Windows 98’s Find). So a user may be unaware that these files exist at all.

“If the user is aware of an infected file, they can follow the straightforward steps outlined on the (Microsoft) Web site to delete the System Restore files before they can be reactivated,” Allen says.

These steps are outlined at Microsoft support Web site. The user may decrease the size of the backup store in an attempt to force out the infected record. The backup facility uses a first-in, first-out procedure, so decreasing the storage size will purge older entries. If this eight-step procedure fails, the user may temporarily purge the store altogether – a procedure outlined in five steps.

This, however, will compromise a restore attempted too soon after the purge.

Computerworld also asked Allen whether data files inadvertently acquired and deleted, and containing illegal material – defamatory, copyright-breaching or objectionable under censorship law – might be restored unknown to the user, or lurk in the _restore folder. This is impossible, he says, since System Restore only stores system files.