extension .iFire

[lzahradil]

drwxr-xr-x 1 root root 77824 Feb 12 09:59 . drwxr-xr-t 1 root root 77824 Feb 17 14:16 .. -rw-r--r-- 1 root root 1323 Feb 12 05:08 iFire-readme.txt -rw------- 1 root root 480101007360 Feb 12 09:18 ntb-mpw-flat.vmdk -rw------- 1 root root 9204 Feb 12 05:08 ntb-mpw.nvram.iFire -rw------- 1 root root 1123 Feb 12 05:08 ntb-mpw.vmdk.iFire -rw-r--r-- 1 root root 0 Feb 10 21:14 ntb-mpw.vmsd -rwxr-xr-x 1 root root 2179 Feb 11 23:33 ntb-mpw.vmx -rw-r--r-- 1 root root 218628 Feb 11 09:21 vmware-1.log -rw-r--r-- 1 root root 272360 Feb 11 11:36 vmware-2.log -rw-r--r-- 1 root root 208212 Feb 11 23:32 vmware-3.log -rw-r--r-- 1 root root 188082 Feb 11 23:49 vmware-4.log -rw-r--r-- 1 root root 57766 Feb 12 09:59 vmware.log

[lzahradil]

I found out that some malicious code is inserted in the flat.vmdk file at the beginning and at the end. The file as such is not encrypted. If I know what to look for, I can find text data using cat and grep. Unfortunately, I do not know how to remove this code in a large file so that the vmdk file can be repaired