Threat Level: green Handler on Duty: Didier Stevens

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

A .BUP File Is An OLE File

Published: 2015-07-04
Last Updated: 2015-07-04 12:14:08 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Yesterday I mentioned that McAfee quarantine files on Windows (.BUP extension) are actually OLE files.

I'm going to write a couple of diary entries highlighting some file types that are OLE files, and I'm starting with .BUP files.

OLE files can be analyzed with my oledump tool. Here is an example with a .BUP file:

As you can see, this quarantine file contains two steams: Details and File_0. Details is the McAfee anti-virus report, and File_0 is the quarantined file. Remark that quarantine files can contain more than one quarantined file, they will be numbered File_0, File_1, ...

If we look at the Details stream, it doesn't tell us much:

That's because it is XOR encoded. The key is 0x6A (BTW, 0x6A is j and I always wondered if that was a reference to John). We can use an oledump decoder to decode this:

That's readable, so let's dump it:

Generic BackDoor.agb doesn't tell us much, but if we look at the beginning of the quarantined file, it becomes clear:

This is a JPEG file with an eval statement in the EXIF data.


Didier Stevens
Microsoft MVP Consumer Security

Keywords: OLE BUP
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Analyzing Quarantine Files
1 day ago by DidierStevens (6 comments)

Another example of Angler exploit kit pushing CryptoWall 3.0
3 days ago by Brad Duncan (2 comments)

Apple "Patch Tuesday"
3 days ago by Johannes (0 comments)

How Malware Campaigns Employ Google Redirects and Analytics
4 days ago by Lenny (3 comments)

The Powershell Diaries 2 - Software Inventory
5 days ago by Rob VandenBrink (5 comments)

The EICAR Test File
6 days ago by DidierStevens (6 comments)

View All Diaries →

Latest Discussions

Detecting lateral movement by NIDS/IPS (netcat or psexec)
created 4 days ago by DrGreen (1 reply)

Recommend InfoSec Books?
created 1 week ago by Anonymous (1 reply)

Security on Computer Names
created 1 week ago by Anonymous (1 reply)

Download the daily logs?
created 1 week ago by (2 replies)

Wireshark upate - 1.12.6 has been released
created 2 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →