QExtract
can be found on the Symantec AntiVirus Corporate
Edition 8.0 or 8.1 CD 1 of 2 in \TOOLS\NOSUPRT\QEXTRACT
.
You will find QEXTRACT.EXE and
QEXTRACT.PDF there.
Usage Information
G:\>qextract
Usage: QExtract /vbn: /file:
- eg. 33850000.VBN
- the fullpath of target file (include filename).
/? for this help
You, unfortunately, can not specify the path for the
VBN file, only the filename. The utility will always expect to
find the file in Symantec AntiVirus' default location, which
is C:\Documents and Settings\All Users\Application
Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine
.
This is the default directory even if you are using version 8.0 or
8.1, i.e. the directory path contains 7.5
even with
later versions of the software. You will have that path even on a
system where you never had version 7.5 of Symantec AntiVirus
Corporate Edition installed, but only later versions.
So if you want to use qextract.exe
on a system where
you don't have the Symantec AntiVirus software installed, you will
need to create that path and place the VBN files there in order
for QExtract to work. Otherwise you will get a message similar to the
one below:
qextract /vbn:12840000.VBN /file:c:\DWH3A75.TMP /file:us_girls.zip
Extraction failed: target file may already exist.
The "target file may already exist" message is misleading; the problem is that the VBN file doesn't exist in the directory where QExtract is expecting it. It won't help to specify the directory where you've placed the VBN file, QExtract expects the file to be in the default location.
If it finds the specified VBN file in the default location, you will see a message such as shown below:
C:\>qextract /vbn:04040000.VBN /file:.\JBCPM31B.dll
Extraction successful.
If you want to know what the original file name is for the file encapsulated in the VBN file, you can open the VBN file with any editor, such as Notepad. You will see something like the following near the top of the file (note: the first line of the file is not the line containing the original location and file name for the encapsulated file):
260204092E20,5,1,2,CRYSTAL,SYSTEM,W32.Stration@mm,C:\WINDOWS\TEMP\DWH3A75.TMP,5,1,1,256,20548,"",0,,0,,310640640,53398,0,1,0,0,0,0,,0,2,4,0,,{31CA7CFF-C7E2-418A-B725-F1713FD852FC},,,,,,
In the above example, "Crystal" is the name of the system on
which the virus was quarantined. Symantec Antivirus identified the
virus as "Stration@mm" and the original file that was quarantined was
C:\WINDOWS\TEMP\DWH3A75.TMP
.
You can place the VBN file in the quarantine directory, if it isn't already
there. Note: If you can't locate the C:\Documents and Settings\All
Users\Application Data
directory, make sure you have turned on
the display of hidden files and folders in the Windows Explorer
(see View Hidden and System
Files). Once you have the VBN file in the appropriate directory, you can
use the following command to extract the file from the VBN file into the
current directory:
C:\Temp>qextract /vbn:12840000.VBN /file:.\DWH3A75.TMP
Extraction successful.
Note: you have to specify the full directory path to be used for the
extraction. You can specify the current working directory be used with
.\
. If you just enter the filename after /file:
,
you will get an error message indicating the file already exists, though
it does not exist.
C:\temp>qextract /vbn:12840000.VBN /file:DWH3A75.TMP
Extraction failed: target file may already exist.
I sometimes want to move an infected file to another system for further
analysis. I may not want to restore the file on the system on which it was
quarantined, because I don't want to risk reinfecting that system or don't
want Symantec AntiVirus to immediately quarantine it again, if I try to move
it to a USB thumb drive to transfer the file to another system. I can transfer
the VBN file and then use the qextract.exe
utility on another
system, which doesn't have Symantec AntiVirus to extract the contents of
the VBN file for further analysis.
References: