Infected Backups?


J

J. P. Gilliver (John)

To actually answer the original question: it may depend on the backup
mechanism used. If by "back up" you just mean "copy", then - provided,
as someone has pointed out, the original computer didn't have a nasty on
it that infected external discs somehow - yes, that should work. If the
backing up process involves any compression or encryption - i. e. what
ends up on the external HD takes up a different amount of space, and/or
is one huge file rather than as many files as you started with, then it
will depend on whether your anti-malware software is familiar enough
with the compression (or whatever) mechanism that your backup software
used, to be able to get inside it and look at - and clean - the files.
(And then assuming that the cleaned structure is still in a form that
the backup software can restore.)
Some people are so arrogant! That makes assumptions about the OP, as
shown by his response:
No, he suggested that running a scan on an external drive won't touch
the registry files on the external drive.

That is correct.
Most cars have four wheels. That is also correct; and has as little
connection with the original question!
 
Ad

Advertisements

J

J. P. Gilliver (John)

In message <[email protected]>, Juan Wei <[email protected]>
writes:
[]
I said nothing about cleaning up the computer they came from.

Now, I'll tell you what I was thinking:

1) Backup data to an external HD
To be fair to those who jumped in with both feet in their mouths, you
didn't actually say you were only thinking about data files. (Also it
_sounds_ as if by "Backup" you just mean "copy", rather than using one
of the many common backup utilities that do some compression and/or file
combination as they go along.)
2) Disinfect them
Note that line: he _does_ know that data files can be infected!
3) Nuke and pave the infected computer
(I hadn't come across "pave" used in this context before, though I can
guess the meaning.)
4) Restore the data
(Unless you just meant "copy" at 1 above, you'd need to be sure whatever
software you did to do the restore was clean. But I think you did just
mean copy.)
 
S

SC Tom

J. P. Gilliver (John) said:
In message <[email protected]>, Juan Wei <[email protected]>
writes:
[]
I said nothing about cleaning up the computer they came from.

Now, I'll tell you what I was thinking:

1) Backup data to an external HD
To be fair to those who jumped in with both feet in their mouths, you
didn't actually say you were only thinking about data files. (Also it
_sounds_ as if by "Backup" you just mean "copy", rather than using one of
the many common backup utilities that do some compression and/or file
combination as they go along.)
2) Disinfect them
Note that line: he _does_ know that data files can be infected!
3) Nuke and pave the infected computer
(I hadn't come across "pave" used in this context before, though I can
guess the meaning.)

I hadn't heard it in this context either. Whenever I hear "nuke and pave",
it harkens me back to the Viet Nam days and Reagan speeches :)
 
J

J. P. Gilliver (John)

I hadn't heard it in this context either. Whenever I hear "nuke and
pave", it harkens me back to the Viet Nam days and Reagan speeches :)
You put your signature - with correctly-formed separator line - embedded
in the text you were quoting; this resulted in all that follows
appearing to be part of your signature.--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)[email protected]+H+Sh0!:`)DNAf

"Anything else you'd like me to do while I'm at it? Paint the sky green? Bury
the odd elephant I find lying around ..." - Tidy, the Android - Earthsearch II,
part 2. (1982-5-2)
 
D

Dave

How 90's of you. Google "word document virus infection" for a start, but
there are many examples of ways that a "data" file can be compromised in
a way that when opened infests the host.
I love the statement 'many ways', none of which you will tell us. Yes, if
you have a word processor file with macros there can be a problem, same
for Excel for which you get adequate warning when you launch the
applicable program.
 
J

John Williamson

Dave said:
I love the statement 'many ways', none of which you will tell us. Yes, if
you have a word processor file with macros there can be a problem, same
for Excel for which you get adequate warning when you launch the
applicable program.
Then there's the old "double extension" trick, although all the
anti-malware programs should be wise to that one by now. The file name
looks like $Sensiblefilename.doc in Explorer and in the attachment
window in your mail program, but is actually called
$Sensiblefilename.doc.exe.

Malware can also be hidden in (at least) .jpeg and .mp3 files, according
to my copy of Kaspersky, which insists on scanning them on opening.
 
Ad

Advertisements

J

J. P. Gilliver (John)

In message <[email protected]>, John Williamson
Malware can also be hidden in (at least) .jpeg and .mp3 files,
according to my copy of Kaspersky, which insists on scanning them on
opening.
Well, the .jpeg one relies on a bug in common image viewing libraries;
neither Turnpike nor IrfanView use those libraries, though the default
image application in at least XP does. I suppose a conscientious
anti-malware prog. should check for them, though.

(Don't know about .mp3 - probably something similar.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)[email protected]+H+Sh0!:`)DNAf

To give you some indication, opinion polls suggest that people who
passionately hate or love country [music] are utterly indifferent to Marmite.
- Eddie Mair, Radio Times 11-17 February 2012
 
W

Wolf K

On 2013-08-03 12:11 PM, John Williamson wrote:
[...]
Then there's the old "double extension" trick, although all the
anti-malware programs should be wise to that one by now. The file name
looks like $Sensiblefilename.doc in Explorer and in the attachment
window in your mail program, but is actually called
$Sensiblefilename.doc.exe.
[...]

Which is why you should set Windows to show extensions. Which should be
the default. I really can't see any reason not to show the extensions.
MS has a lot to answer for.
 
W

Wildman

On 2013-08-03 12:11 PM, John Williamson wrote:
[...]
Then there's the old "double extension" trick, although all the
anti-malware programs should be wise to that one by now. The file name
looks like $Sensiblefilename.doc in Explorer and in the attachment
window in your mail program, but is actually called
$Sensiblefilename.doc.exe.
[...]

Which is why you should set Windows to show extensions. Which should be
the default. I really can't see any reason not to show the extensions.
MS has a lot to answer for.
That's an easy one. It is because we are too dumb
as users to know what file extensions are and what
they are for, according to MS. What else could it
be? There is no /logical/ reason to do it.
 
G

Gene E. Bloch

Then there's the old "double extension" trick, although all the
anti-malware programs should be wise to that one by now. The file name
looks like $Sensiblefilename.doc in Explorer and in the attachment
window in your mail program, but is actually called
$Sensiblefilename.doc.exe.
The double extension thing only fools a user that has extensions hidden.
Any program or dll only sees the final extension as the file's actual
extension. Programs search for the dot backwards from the end of the
name...

So anti-malware programs are in no way affected by the trick...
 
B

Beauregard T. Shagnasty

Gene said:
The double extension thing only fools a user that has extensions hidden.
Don't forget that the usual trick was to use a bunch of spaces.

"grandma.jpg .exe"

Even seasoned individuals could miss that ".exe" away over, and sometimes
past, the visible viewing area.
Any program or dll only sees the final extension as the file's actual
extension. Programs search for the dot backwards from the end of the
name...
Usually, I guess so.
 
Ad

Advertisements

J

John Williamson

Wildman said:
On 2013-08-03 12:11 PM, John Williamson wrote:
[...]
Then there's the old "double extension" trick, although all the
anti-malware programs should be wise to that one by now. The file name
looks like $Sensiblefilename.doc in Explorer and in the attachment
window in your mail program, but is actually called
$Sensiblefilename.doc.exe.
[...]

Which is why you should set Windows to show extensions. Which should be
the default. I really can't see any reason not to show the extensions.
MS has a lot to answer for.
That's an easy one. It is because we are too dumb
as users to know what file extensions are and what
they are for, according to MS. What else could it
be? There is no /logical/ reason to do it.
Is the right answer.
 
J

J. P. Gilliver (John)

Wildman said:
On 2013-08-03 12:11 PM, John Williamson wrote:
[...]
Then there's the old "double extension" trick, although all the
anti-malware programs should be wise to that one by now. The file name
looks like $Sensiblefilename.doc in Explorer and in the attachment
window in your mail program, but is actually called
$Sensiblefilename.doc.exe.
[...]

Which is why you should set Windows to show extensions. Which should be
the default. I really can't see any reason not to show the extensions.
MS has a lot to answer for.
That's an easy one. It is because we are too dumb
as users to know what file extensions are and what
they are for, according to MS. What else could it
be? There is no /logical/ reason to do it.
The original reason had some merit for people who are not "into"
computers like we are: the applications took care of what the extension
would be, without it bothering the user. If you created a letter in
Word, you saved it as "letter"; if you later came to re-open it, it
opened in the right application. It even had the right icon in explorer;
no need for confusing extensions, or at least for those to be visible to
the user. (OK, "doc" is reasonably intuitive; "xls" isn't, nor for that
matter are "jpg", "gif", and "bmp".) This was a perfectly /logical/
thought process. Of course, we geeks don't see it like that.

The advent of the double-extension malware exploit (many years ago) was
IMO a reasonable justification for at the very least making the
displaying of extensions the default, from well before Windows 7. But I
think we geeks are often a bit hard on those who prefer that option.

(Having said that, I always turn extension visibility on - not just on
my own machines, but on those of any I'm called on to do anything to for
others.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)[email protected]+H+Sh0!:`)DNAf

I'm not a fan of Christmas, although I support the principle of a day of
feasting and presents, but the anxiety starts in October: how many are coming?
Are they bringing grandchildren? How long will they stay? - Raymond Briggs, in
Radio Times Christmas 2012
 
Ad

Advertisements

Z

Zaphod Beeblebrox

I love the statement 'many ways', none of which you will tell us.
Off the top of my head JPG, WMV, WMA, MP3 can all be compromised -
certainly, all require the file to be opened by a particular
viewer/player, but since they all targeted the default Windows
viewer/player that isn't too difficult of a barrier.

Here's a particularly fun one (though limited in scope):
http://php.webtutor.pl/en/2011/05/1...s-written-in-php-and-carried-in-a-jpeg-image/

Yes, if you have a word processor file with macros there can be a
problem, same for Excel for which you get adequate warning when you
launch the applicable program.
Well you do today but when macro viruses first appeared on the scene
you didn't get any warning, and those media file infections give no
warnings. But hey, don't believe me, see the other responses in the
thread and do a bit of searching and you'll see.

--
Zaphod

Arthur: All my life I've had this strange feeling that there's
something big and sinister going on in the world.
Slartibartfast: No, that's perfectly normal paranoia. Everyone in the
universe gets that.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top