Question Banload.AYD virused a Hyper-V Virtual Machine

Jun 11, 2022
2
0
10
0
I have a Hyper-V Host machine with Windows 2019 called "mnhost02"
On this machine I have a Virtual Machine called "eMail" who is also Windows 2019 + Exchange 2019
the Windows Security Antivirus from Host mnhost02 detect the Trojan Downloader Banload.AYD on VM eMail and was unable to Quarantine or Remove since VM eMail was running. I stop it. Than the Win Security Antivirus from Host mnhost02 simply delete the virtual HDD of VM eMail machine creating BIIIIG problem.
Previous scanning VM eMail from inside with Win Security Antivirus does not show any infection !!!

It seems to be a Boot infection and Win Security within the infected machine eMail it is not seeing it.

Any suggestion how to remove a MBR Virus on a Virtual Machine ???

Your suggestion will be greatly appreciated.
 
Last edited:
Jun 11, 2022
2
0
10
0
I use Data Deletion Recover Tool to recover .vhdx file of eMail VM machine .. but if I manage to mount back online .. I will still have the same TorjanDownloader - Banload.AYD issue who install himself to MBR.
 

Murissokah

Distinguished
Aug 12, 2007
1,380
41
19,690
142
Looking at the description from Microsoft for that malware, it says it installs an executable in "c:\documents and settings\administrator\application data\install_flashplayer13x32_mssa_aaa_aih.exe" . I don't know why Windows security picks it up from the Hypervisor and not from the VM (is it the same product?), but I found nothing about thins malware to suggest it infects your partition table.

I'd start by looking at that document and searching for that executable in the Hypervisor an in the VM.

You could also look at the logs from Windows security to try and find more info about the malware detection event.
 

ASK THE COMMUNITY

TRENDING THREADS