Why does disinfecting PlugX from a drive risk deleting legitimate data stored on in?
Ars Technica's April 24, 2024 Millions of IPs remain infected by USB worm years after its creators left it for dead begins with
Ability of PlugX worm to live on presents a vexing dilemma: Delete it or leave it be.
and says later:
The researchers noted that the zombie worm has remained susceptible to takeover by any threat actor who gains control of the IP address or manages to insert itself into the pathway between the server at that address and an infected device. That threat poses interesting dilemmas for the governments of affected countries. They could choose to preserve the status quo by taking no action, or they could activate a self-delete command built into the worm that would disinfect infected machines. Additionally, if they choose the latter option, they could elect to disinfect only the infected machine or add new functionality to disinfect any infected USB drives that happen to be connected.
Because of how the worm infects drives, disinfecting them risks deleting the legitimate data stored on them. On the other hand, allowing drives to remain infected makes it possible for the worm to start its proliferation all over again. Further complicating the decision-making process, the researchers noted that even if someone issues commands that disinfect any infected drives that happen to be plugged in, it’s inevitable that the worm will live on in drives that aren’t connected when a remote disinfect command is issued.
What is the cause of this risk to legitimate data? Is it only the self-deletion method for disinfection that carries the risk of data deletion on the infected drive, or is this risk present for all forms of disinfection?
Potentially related: PlugX is mentioned in this answer to What does 'verified file' in Windows mean? And does it guarantee related files?
