1 of 1 people found this helpful
the problem is that mcafee doesn't not provide an extraction tool. unfortunately it is also not possible to extract it to an another location. the only possible solution so far is to copy the .bup file (the compressed and encoded original file) to another computer's quaratine location and extract it there.
Ok, thanks for the information, as the file is on a LUN that will not be possible.
Does anyone else feel it's sorta ridiculous that mcafee doesn't have a BUP extraction standalone tool?
Having one would immensely simplify the reporting of false positives.
I like that trick of sticking it in the quarantine location on another computer though. I had no idea that'd work.
After some research, I am able to recover quarantined files with this procedure. Perhaps someone could write a program or script to automate this:
Howto Recover McAfee .BUP Quarantine Files:
Use 7Zip to Extract 2 files from the .BUP file called Details and File_0 (7Zip can be found here: http://www.7-zip.org/)
XOR both files by the key “0x6A” (Stupid protection) with the program called XOR.exe:
> xor.exe File_0 file_0.xor 0X6A
> xor.exe Details Details.txt 0X6A
Rename File_0.xor to Original name found in Details.txt
Be carefull with the virus!
xplorr, thanks for posting that. I had stumbled upon the xor with 6a thing in some random security talk somewhere, but hadn't procedurized it.
A simple alias would automate it if you have 7zip.
7zip.exe e File.BUP
is the commandline for the unpacking function.
If you don't want to have to trust an xor binary, and you're the sort of person that's got python installed and handy (be it on a Linux box or under Cygwin in Windows), and you'd rather trust some Didier Stevens python code, this python script works nicely
with acommand line of
~/bin/translate.py File_0 eicar_decoded.txt 'byte ^ 0x6A'
In comment #5 of that thread, there's an "UNbup" standalone script that looks simple enough, but I haven't been able to get it to work as is, likely due to my newness to python and indentation appearing to be rather important to it.
The other thing that's great about having this capability is that one of the files that comes out the the BUP unpacking from 7-zip is the Details file. The details file gives you original file timestamps of the malware. This can be an important clue to inferring time of infection potentially if your malware was detected in an on demand scan versus an on access scan. I've been wanting to know how to get at that file timestamp information for freaking EVER and am thrilled to be able to get to it now. Both File_0 and Details are xor'd with 6A. why they make even the Details so hard to get at beats the daylights out of me.
I guess it has to do with the fact that McAfee and other virus scanners can scan zipped/compressed archives. I guess they xor with 0X6A to avoid the scanners removing the files again in the quarantine folder.
There is now a Knowledgebase article related to this issue. KB72755 will be published by close of business US time today.
Regis, could you tell me exactly how you found the original file time stamps on the Details file once its extracted from the .BUP? I have extracted the 2 file from the BUP, but the time stamps on the files is still from the moment the infected file was quarantined. Is the orginal time stamp inside the text of the Details file? I have opened the BUP in McAfee FileInsight, but I can't understand the contents of the Details file (its all code to me). Can you help?
UPDATE: I was able to convert the Details file to Details.txt using the xor.exe utility, but when viewing Details.txt the CreationDay/Month/Year/Hours/Minutes= values are all the same as when the BUP was created (when the infected file was quarantined). Did you get different results?
Like you, we would find the original file time stamp to be VERY helpful in blocking potential malware sources.