Has the WinXP ISO recommendation been vetted and validated?

[ITmaze]

The WinXP UTM gallery at https://mac.getutm.app/gallery/windows-xp provides a reference and SHA for a Windows XP installation ISO. When I used this ISO (archive.org with matching SHA) I observed unusual behaviour.

• Create the VM as per the instructions
• Start the installer
• Wait for the first reboot
• After the WinXP boot screen first appears before the graphical installer starts, a progress dialog box appears
• It shows something like "uncompressing 7z"
• Then the installer starts as usual

To my knowledge WinXP does not support the 7-zip format out of the box, nor have I ever seen such a message and I've installed WinXP from ISO dozens of times over the years on all manner of different hardware.

Has this ISO actually been vetted and validated as being without any injected malware?

[LukeHandle]

Viewing the ISO contents via archive.org and I see a few mentions of 7z:

• OEM/bin/un7zip.exe
• OEM/bin/DPsFnshr.7z
• OEM/DPM1209.7z

Not a super reliable measure, but DPM1209.7z does have some hits that it might contain a trojan, eg. https://www.bleepingcomputer.com/forums/t/517344/dirty-encrypt-virus-strikes-again/

E:\media\Microsoft.Windows.XP.Professional.SP3.x86.Integrated.December.2012-Maherz\OEM\DPM1209.7z Win32/Filecoder.BH.Gen trojan deleted - quarantined

And, uploading to VT:
https://www.virustotal.com/gui/file/eff876c4e01a88af8b0e58c142bea76ff40e38faa075e1b7189a7c169c3f4083

Some of the included executables in DPsFnshr.7z also flag:

• https://www.virustotal.com/gui/file/9eaed2695ad551993acf29468359cef3fa1e772dbbe86cef30865cebf80eb0cc/summary
• https://www.virustotal.com/gui/file/ed8d47909aa16dea063b175af046eac3fd589012a7ea94ed5de62430e485df2e/summary
• https://www.virustotal.com/gui/file/4b453c1ba35625ab44bc7f7196e6331e883866d42562dfe0c0bec1aa37149792/summary

BUT, the presence of these files is partly explained by the "_Incl_SATA_Drivers" - these aren't in organic XP ISOs. I don't think it's conclusive that these are malicious though - the VT results only show concern from a subset of engines

REM Written by Jeff Herre AKA OverFlow rev08.12.1
REM A Script to use MicroSofts DPInst.exe with the DriverPacks.
REM Help and Support available at http://forum.DriverPacks.net
TITLE DriverPacks.net Stand Alone Driver Updater & Color 9f

[ErikTheAweful]

OverFlow here,

that image has had DriverPacks added (SlipStreamed) into the windows installation package. Out of the box windows has a very limited set of supported drivers for hardware. the driverpacks adds hundreds or even thousands of drivers to the base install so that most all hardware available at that time would be natively supported by the installation... it was necessary to compress the drivers to make them fit on a CD and eventually a DVD for installation. 7zip was the best method to achieve maximum compression so they would fit. At the DPS website i believe you can still get the hash for the driverpacks files to verify they are original and unmodified. At the time of release these files got millions of downloads a day... the original files are safe

Yes the MD5 Checksums are still listed http://driverpacks.net/driverpacks