Hi,
My PC has two internal hard drives, an SSD and an HHD (and an external SSD). If I got malware inside of my computer will it affect both drives? I know I can clean the SSD where my OS and apps are by performing a reinstallation of windows 10. But my data drive, will it be infected as well? How can you clean that drive of malware? If I backup data to anorher drive, wouldn't I be backing the malware with it?
Hi,
The short answer is:
Yes it can happen, but it depends on the type of malware.
The long answer:
The majority of infections resides on the drive the operating system is on. Malware very commonly uses the registry to autorun and will put their file copies on the system drive to persist. For those kinds of malware it is enough to only reinstall the OS. Even if it is a ransomware infection, it will in most cases "just" encrypt files on all the attached drives, but not create any infectious files there. Meaning: Those files are encrypted or ransomnotes, but in most cases completely harmless.
There are two types of malware that spread to other drives:
Viruses (in the sense of "file infectors") and
worms.
Viruses attach themselves to other files, turning them into malicious files which are also infectious. Those files would be backed up if you copy them to another drive. Worms that spread via drives will often place themselves alongside of the legit files on the disk and trick the user into executing them.
Viruses are usually not something your system gets infected with if you have an AV and follow common security practices because they are often old and well-detected by AV software.
Drive worms are more common and may also infect systems with an up-to-date AV.
Last but not least: You may also have a
trojan and not recognize it as such and do the mistake of backing it up to the drive. That's a program that seems legitimate but has a malware attached to it. It doesn't necessarily infect other files or the drives, but everytime you run the supposedly legit program it will infect the OS again. This happens commonly with beloved adware installers and cracks where the users of those programs refuse to acknowledge the AV detections as legit and may put them into the allowlist for the AV.
You should suspect that the infection is a worm or virus if one of the following is true:
- the detection name contains "worm" or "virus"
- the detected files are located on USB flash drives, external drives or your drive that is not the OS
- the detected files are high in number (hundrets or more) and on files that are usually legit, e.g., belong to the operating system
Removing an infection:
For most malware it is enough to reinstall the OS.
If you know or suspect that your system was infected by a drive worm or virus (file infector), you will have to be very cautious and clean/wipe all attached drives as well as USB flash drives or external drives that were plugged in at the time of after time of infection. Worm infections can be cleaned by having an AV delete all worm related files.
After virus (file infector) infection it is recommended to not attempt to repair or fix infected files but wipe everything. Files with an attached virus cannot be turned back to the way they were. Some information in them gets destroyed. Tools that repair those files often leave in some traces of the virus and cause AV software to still detect those files as malicious.
Mitigation:
Use an external drive for making backups that is not plugged in all the time. This will prevent the spread of an infection to the drive. It also helps in case of ransomware infection that the ransomware cannot access the backup drive at the time of encryption.
