McAfee has tool named FileInsight - using this tool you are able to get original file (unzip then XOR).
Sometimes I want to handle the BUP quarantine files (eg to submit to McAfee or a virus service).
I think they're XOR'd (or something similar and simple) along with some header data.
Has anyone developed a tool to extract these files from the BUP? The only other method is "restoring" it from quarantine - hardly the best method as other fragments (such as autorun registry keys are restored at the same time).
This was addressed in earlier posts:
How to restore a quarantined file not listed in the VSE Quarantine Manager
Corporate KnowledgeBase ID: KB72755
Last Modified: September 12, 2011
McAfee VirusScan Enterprise 8.x McAfee VirusScan Enterprise Quarantine Manager component
There may be circumstances where a quarantined file is deleted by VirusScan Enterprise (VSE) before you realize the file needs to be preserved. This could be for submission to McAfee Labs for instance. While you may be able to restore the .BUP file to C:\Quarantine\, the Quarantine Manager will no longer show the quarantined file. Therefore, it cannot be restored using the Quarantine Manager. This article explains how to manually extract information from .BUP files not listed in Quarantine Manager.
To extract files from Quarantine (.BUP) files:
Using Windows Explorer, create a temporary folder. In this example: C:\SAVE-BUP
Download the 7-Zip file compression utility from http://www.7-zip.org/.
Install the 7-Zip utility and extract the following two files from the .BUP file to C:\SAVE-BUP
File_0 To decrypt files contained in .BUP files:
Download the XOR utility from http://www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml.
Extract xor.zip to C:\SAVE-BUP.
Click Start, Run, type cmd, and press ENTER.
Type cd \SAVE-BUP and press ENTER.
Type xor.exe File_0 file_0.xor 0X6A and press ENTER.
Type xor.exe Details Details.txt 0X6A and press ENTER.
NOTE: 0x6A is the encryption key used.
Rename File_0.xor to the original name found in the Details file.
Related Information For more information on the 7-ZIP file compression utility, see KB72766.
Hopefully this gives you enough info to extract the files for submission to McAfee.
Post back if you need more.
Thanks for the info
I have wrote a nice extraction tool for your use,its gui based c# ( ull need the dot net 4 framework ).
just choose the bup file and a destination folder and the tool will extract the tow files , check the details file for the right name and extension.
and xor the malware to the new folder.
you Download the Tool HERE .
Just unnzip and run setup.exe
check out my BLOG for updates on security stuff and more tools (some of the stuff is in hebrew so use google translate-).
Message was edited by: coopert on 4/14/12 7:50:44 AM CDT