How To Extract A Virus From An Infected Pc

[Infiltrator]

Hi all,

Apart from using an Anti-virus, how would one go about capturing a live virus from an infected system, so it could be used for later analysis.

My friends PC is infected and I would like to get a hold of that sucker. Is there any utility that could be used to extract the virus?

Thank you in advance.

Regards,

Infiltrator

[digip]

If you know the specific executable that is the virus, or its installer, boot a live disc and copy it off, or mount the HDD in another machine and then copy it off. Problem is, most virus, or at least decent ones, infect the system in a way that they become part of the OS and merged in the kernel or system drivers adn will effect all users on the machine including nwly added ones. Removing them often cripples the system depending on the malware. Early detection before it can execute is desired, but not always possible, especially with obfuscation or newly found attacks such as 0-days.

Also, one infection usually piggybacks multiple other types of malware, or just leaves the system open for further infections by others. Often by default it installs multiple forms of malware from the get go to ensure it can always get back in to use it within its bot nets(depending on the type of malware), so even if you remove one you found, the machine might have multiple other infections in the process. Just depends on how you were infected and by what form of malware.

To find malware, the quickest check is to look into the registry for all start up locations/services not installed by default. You can boot the system with something like an XP PE/bart pe/ UBCD4Win type of setup and then mount the registry within it to locate the path(s) the malware sits in and then extract the files. If the malware has infected system files directly or patched the kernel, its pretty much in the system for life short of a format and reinstall.

Sometimes if you are lucky enough, the malware only infects the one users signon, depending on how the system and profiles were setup, so you can also try to 1, boot into safe mode as an administrator and create a new user. If the infection shows up under the new account, then it may have placed itself in the "default users" setup for all new users. or 2 - You can also add an administrator user using UBCD4Win through its tools and then boot in as that user and see if the malware is still active. In either case, if the malware shows up under new users, then its hooks could be deep within the OS, probably kernel level and patched into the system drivers themselves, so the only course of action at that point is format and reinstall. Best practice is to format and reinstall anyway.

[Sparda]

I haven't read all of digip's post (hay, I've got stuff to do, don't have time to read ;P), bu since ctrl+f didn't find the word image I'll assume this was not mentioned.

Take an image of the drive, load it in a VM, do your analysis in the VM.

[digip]

I haven't read all of digip's post (hay, I've got stuff to do, don't have time to read ;P), bu since ctrl+f didn't find the word image I'll assume this was not mentioned.

Take an image of the drive, load it in a VM, do your analysis in the VM.

Thats also a great tip.

[Infiltrator]

Thanks guys and Digip your information was very helpful and it had given me a lot of insights and thoughts to consider. Using a VM is not a bad idea, I thought about using it before and I always like to do risky work in a VM for safety reasons.

Another question is, most ant-virus have a virus chest, that helps contain the virus from spreading, it is possible to copy the virus from there to another physical location. Or will the AV prevent such action.

Thank you again.

[digip]

Thanks guys and Digip your information was very helpful and it had given me a lot of insights and thoughts to consider. Using a VM is not a bad idea, I thought about using it before and I always like to do risky work in a VM for safety reasons.

Another question is, most ant-virus have a virus chest, that helps contain the virus from spreading, it is possible to copy the virus from there to another physical location. Or will the AV prevent such action.

Thank you again.

Depends on how its stored, but more than likely, you would not be able to access it while the AV is running unless you unquarantine it. If the quarantined file was a system file might not be the best way to go about it though.

Best be would probably be boot off a live disc so you know there is no risk of infection to any external media you try to copy it to, or mount the drive in another system and then create a VM from the drive as Sparda suggests.

I'm not too sure how they store them either, but I know ZoneAlarm renames them and their file extensions and moves them somewhere to quarantine them, but I don't know the exact path. I could see an interesting attack vector too, if say some malware that was benign to detection only searched a system to see what was in quarantines, then disables the AV to extract and relaunch the malware under its control. :)

Edited October 23, 2010 by digip

[Infiltrator]

It turns out that the AV I am using let me extract the virus directly from its chest. I am using Avast by the way, and the interesting thing, is that it lets me pick a location where to save the malware.

Thanks again Digip.