We don't have confirmation yet that a normal McAfee scan, or even the Stinger tool, will take care of this. It does seem to be infecting quite a few systems - I've been checking on the other PC Help forums and they're all trying to deal with it too.
One thing to note is that this infection apparently disables many antivirus and antimalware programs, including the ones which are most usually recommended as trusty standbys. It even seems to stop GMER from running.
As far as I can see Open Cloud Security puts files in some user directories, including temp directories, which might be removable using simple disk-cleaning programs like CCleaner. This wouldn't remove the infection, but might disable it to some extent. I'll investigate.
In the meantime if anyone with this thing would care to try running HijackThis, the output might be useful as a rough guide to what files are being created by OCS. This looks like one of those pieces of malware that keeps changing its output file names to make it harder to find them. Someone said it's a polymorphic infection, and they're a pain because the code keeps changing - again, making them harder to detect.
The original list of created files was compiled a month ago, and may be different now (see the details HERE but be warned that some people are saying that the fix suggested there doesn't work now).
But look out for (and delete, if you feel like it) the following files :
Message was edited by: Hayton on 04/10/11 03:56:13 IST%AppData%\OpenCloud Security\
%AppData%\OpenCloud Security\OpenCloud Security.exe
%AppData%\OpenCloud Security\OpenCloud Security.ico
%StartMenu%\Programs\OpenCloud Security\OpenCloud Security.lnk
File Location Notes:
%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.
%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.
A document started re this issue here
Our organization has also see this trojan. It is nasty. Turns off McAfee. Can't run any programs. SYSTEM RESTORE doesn't work. The typical "bleeping computer" SAFE MODE w/NETWORKING removal posts etc. don't work against this thing. RKILL doesn't work. Stinger did not work.
We salvaged user data and then re-imaged the computer to a fresh copy of the OS. That is the only recourse to fix this infection that we have found that works at this time.
If McAfee could step up and provide:
a. detection - so the threat does not get through and
b. cleaning - some way of cleaning this attack so a re-image is not needed - that would be great.
McAfee is vulnerable at 8.0, 8.5, and 8.7.
One user claims getting the infection off of <sites removed - Sam> - so beware of those sites - they may be infected.Message was edited by: SamSwift - I've removed the site names in case people try to access them. Have also submitted them to our web reputation folks for review on 04/10/11 16:18:41 IST
We're investigating this now - there are some new detections going into tomorrows fakealert stinger for this threat. Additionally there are a bunch of researchers looking at some new submissions. If you are able to send us samples please follow this document and let us know the ID numbers.
Are you able to run Stinger if it's renamed to stinger.com?
Thanks for the reply.
Unfortuantely we are a business and can not afford to keep the user out of the water, so to speak. So after four hours of unsuccessful attemps at cleaning Open Cloud - we had to bite the bullet and reimage the computer. I no longer have the infected system as a specimen.
Like Spybot, MBAM, Stinger, and others....exe, .bat, .com all ran for about two seconds and then were terminated. If it hits us again-I will have your document in hand and will provide you with all of the information you ask for.
The sites were posted as a warning that this is where our users alleged to have picked up this infection-it is just as well that the names were removed-as it was purely anecdotal and unsubstantiated.
We will update enterprise-wide to DAT Version 6489 when it is released.
I think I found the file you want. I zipped it and password protected it as requested.
Analysis ID: 6746748
The email says I should update my DAT and engine files and rescan my computer. How am I supposed to do that when Open Cloud prevents me from opening and running anything? Can I access a WIFI connection in Safe Mode?
McAfee has detection on this file in Beta DAT as FakeAlert-GA.gen.e. FakeAlert Stinger will also detect and delete this file.
could you please try to run in safe mode and run the fakealert stinger.
Is there a new stinger? I tried this yesterday and it didn't work. I am a complete newb at this. Also, what do I do with the .dat file I received after submitting the virus sample?Message was edited by: moxiesue on 10/4/11 11:42:53 AM CDT
Sorry missed your 2nd question.
Is it an extra.dat?