Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Would malware or any other infection be able to spread through a system image?


  • Please log in to reply
6 replies to this topic

#1 johndoh

johndoh

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 12 August 2016 - 10:15 PM

Hello.
 
So I have an ongoing process here. I'm dealing with a computer having ransomware infected files on it. I was assured on other topic I made, that "the encrypted files do not contain malicious code so they are safe".
 
But now I want to backup the whole system as an image file, so maybe in the future, if there's a fix to be found for this particular ransomware, I could just apply the fix on the image and my friend could get his encrypted photos and documents back. My plan'd be to split the hard drive in half, where on one partition would only the image files and on the other one, there'd be system files - so C: drive for system and D: drive for the image files.
 
I'd make an image of current state, with files having ransomware infection and system itself having tons of malware. I'd be making the system image file with the Windows' built-in tool, which would end me up having *.VHD file of the entire C: drive.
 
After I've created the image of the C: drive to D: drive and I have this *.VHD file, I'd format the C: drive and install new Windows for my friend.
What I'm concerned about is, could this *.VHD and the contents of it infect the newly installed Windows? Or should I scan the C: drive with malware and anti-virus scanners before I create the VHD image?
 
 
Thanks for replying.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 13 August 2016 - 03:34 AM

Do you plan to mount the VHD? Or just keep it until there's a fix?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 johndoh

johndoh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 13 August 2016 - 10:56 AM

I think my plan is to just create the VHD and leave it just here and keep it until there's a fix, so I wouldn't mount it. I'd just back up some folders, which I was able to recover, which were left untouched by the ransomware and give these to my friend.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 14 August 2016 - 02:48 AM

That plan sounds good.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 johndoh

johndoh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 14 August 2016 - 09:59 AM

But should I scan the computer for other viruses and malware, besides this ransomware, before I create the VHD? Could the contents of this VHD infect the freshly installed Windows, if the VHD is sitting on another partition? I was able to scan with ESET Online and it scanned for like 4-5 hours. But anti-virus software, Comodo, has been running for 10+ hours and there's no end in sight. So yeah, is it necessary I do these scans, given that I'll install new operating system anyway and format the whole drive, after I've created VHD on other partition.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 14 August 2016 - 02:01 PM

Well, you said that you won't mount it, so it can not infect a machine onto which you will copy it.

 

As for the scanning, that's up to you. Do you want to deal with detected malware now, or sometime (maybe) when you'll recover the files from the VHD?

Are you the only one who will ever use this VHD? If there are potentially other persons that will use it, then it's safer to scan first.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 johndoh

johndoh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 14 August 2016 - 03:32 PM

So as long as my friend keeps this VHD on the other partition, doesn't touch it and mount it, his new freshly installed Windows won't get infected. Ok, glad to hear that.

 

But yeah, I'll probably scan with four programs (Comodo's anti-virus, Malwarebytes Anti-Malware, ESET Online and Emsisoft's Anti-Malware), however long it'll take and then create the VHD, just to be sure. Because in the future I might have to help my friend to mount this VHD and apply fix on the encrypted files, that are infected by the ransomware at the moment. And when I mount the VHD, I don't want any of the bad stuff spreading from mounted VHD to the whole system.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users