I wanted to take out a sample from the MCAFEE quarantine folder on a host machine for further examination.But bad for me , I've discovered that that only way to extract the virus is to the original place! After googling a bit I found out that the .bup extension is actually a 7zip archive + xor by 0X6A ! So After I downloaded the 7zip and a simple xor tool ((http://www.softpedia.com/get/Programming/Other-Programming-Files/Xor.shtml)I've got 2 file in every .bup
·xor.exe Details Details.txt 0X6A
> xor.exe File_0 file_0.xor 0X6A>
Rename File_0.xor to Original name found in Details.txt
And the virus is ready for investigation!
