LukeHandle
commented
12 hours ago Viewing the ISO contents via archive.org and I see a few mentions of 7z:
- OEM/bin/un7zip.exe
- OEM/bin/DPsFnshr.7z
- OEM/DPM1209.7z
Not a super reliable measure, but DPM1209.7z does have some hits that it might contain a trojan, eg. https://www.bleepingcomputer.com/forums/t/517344/dirty-encrypt-virus-strikes-again/
E:\media\Microsoft.Windows.XP.Professional.SP3.x86.Integrated.December.2012-Maherz\OEM\DPM1209.7z Win32/Filecoder.BH.Gen trojan deleted - quarantined
And, uploading to VT: https://www.virustotal.com/gui/file/eff876c4e01a88af8b0e58c142bea76ff40e38faa075e1b7189a7c169c3f4083
Some of the included executables in DPsFnshr.7z also flag:
- https://www.virustotal.com/gui/file/9eaed2695ad551993acf29468359cef3fa1e772dbbe86cef30865cebf80eb0cc/summary
- https://www.virustotal.com/gui/file/ed8d47909aa16dea063b175af046eac3fd589012a7ea94ed5de62430e485df2e/summary
- https://www.virustotal.com/gui/file/4b453c1ba35625ab44bc7f7196e6331e883866d42562dfe0c0bec1aa37149792/summary
BUT, the presence of these files is partly explained by the "_Incl_SATA_Drivers" - these aren't in organic XP ISOs. I don't think it's conclusive that these are malicious though - the VT results only show concern from a subset of engines
REM Written by Jeff Herre AKA OverFlow rev08.12.1 REM A Script to use MicroSofts DPInst.exe with the DriverPacks. REM Help and Support available at http://forum.DriverPacks.net
TITLE DriverPacks.net Stand Alone Driver Updater & Color 9f
The WinXP UTM gallery at https://mac.getutm.app/gallery/windows-xp provides a reference and SHA for a Windows XP installation ISO. When I used this ISO (archive.org with matching SHA) I observed unusual behaviour.
To my knowledge WinXP does not support the 7-zip format out of the box, nor have I ever seen such a message and I've installed WinXP from ISO dozens of times over the years on all manner of different hardware.
Has this ISO actually been vetted and validated as being without any injected malware?