cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 11 of 52

Re: Open Cloud Security malware has hijacked network computer

We don't have confirmation yet that a normal McAfee scan, or even the Stinger tool, will take care of this. It does seem to be infecting quite a few systems - I've been checking on the other PC Help forums and they're all trying to deal with it too.

One thing to note is that this infection apparently disables many antivirus and antimalware programs, including the ones which are most usually recommended as trusty standbys. It even seems to stop GMER from running.

As far as I can see Open Cloud Security puts files in some user directories, including temp directories, which might be removable using simple disk-cleaning programs like CCleaner. This wouldn't remove the infection, but might disable it to some extent. I'll investigate.

In the meantime if anyone with this thing would care to try running HijackThis, the output might be useful as a rough guide to what files are being created by OCS. This looks like one of those pieces of malware that keeps changing its output file names to make it harder to find them. Someone said it's a polymorphic infection, and they're a pain because the code keeps changing - again, making them harder to detect.

The original list of created files was compiled a month ago, and may be different now (see the details HERE but be warned that some people are saying that the fix suggested there doesn't work now).

But look out for (and delete, if you feel like it) the following files :

%AppData%\OpenCloud Security\
%AppData%\OpenCloud Security\OpenCloud Security.exe
%AppData%\OpenCloud Security\OpenCloud Security.ico
%AppData%\OpenCloud Security\wf.conf
%StartMenu%\Programs\OpenCloud Security\
%StartMenu%\Programs\OpenCloud Security\OpenCloud Security.lnk
%UserProfile%\Desktop\OpenCloud Security.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7, and c:\winnt\profiles\<Current User> for Windows NT.


%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.


%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\<Current User>\Start Menu\, and for Windows Vista/7 it is C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu.

Message was edited by: Hayton on 04/10/11 03:56:13 IST
Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 12 of 52

Re: Open Cloud Security malware has hijacked network computer

Re: Open Cloud Security malware has hijacked network computer

Our organization has also see this trojan. It is nasty. Turns off McAfee. Can't run any programs. SYSTEM RESTORE doesn't work. The typical "bleeping computer"  SAFE MODE w/NETWORKING removal posts etc. don't work against this thing. RKILL doesn't work. Stinger did not work.

We salvaged user data and then re-imaged the computer to a fresh copy of the OS. That is the only recourse to fix this infection that we have found that works at this time.

If McAfee could step up and provide:

a. detection - so the threat does not get through and

b. cleaning - some way of cleaning this attack so a re-image is not needed - that would be great.

McAfee is vulnerable at 8.0, 8.5, and 8.7.

One user claims getting the infection off of <sites removed - Sam> - so beware of those sites - they may be infected.

Message was edited by: SamSwift - I've removed the site names in case people try to access them. Have also submitted them to our web reputation folks for review on 04/10/11 16:18:41 IST
SamSwift
Level 12
Report Inappropriate Content
Message 14 of 52

Re: Open Cloud Security malware has hijacked network computer

Hi,

We're investigating this now - there are some new detections going into tomorrows fakealert stinger for this threat. Additionally there are a bunch of researchers looking at some new submissions. If you are able to send us samples please follow this document and let us know the ID numbers.

Are you able to run Stinger if it's renamed to stinger.com?

Sam

Re: Open Cloud Security malware has hijacked network computer

Thanks for the reply.

Unfortuantely we are a business and can not afford to keep the user out of the water, so to speak. So after four hours of unsuccessful attemps at cleaning Open Cloud - we had to bite the bullet and reimage the computer. I no longer have the infected system as a specimen.

Like Spybot, MBAM, Stinger, and others....exe, .bat, .com all ran for about two seconds and then were terminated. If it hits us again-I will have your document in hand and will provide you with all of the information you ask for.

The sites were posted as a warning that this is where our users alleged to have picked up this infection-it is just as well that the names were removed-as it was purely anecdotal and unsubstantiated.

We will update enterprise-wide to DAT Version 6489 when it is released.

Re: Open Cloud Security malware has hijacked network computer

I think I found the file you want.  I zipped it and password protected it as requested.

Analysis ID: 6746748

The email says I should update my DAT and engine files and rescan my computer.  How am I supposed to do that when Open Cloud prevents me from opening and running anything?  Can I access a WIFI connection in Safe Mode? 

nownitin
Level 12
Report Inappropriate Content
Message 17 of 52

Re: Open Cloud Security malware has hijacked network computer

McAfee has detection on this file in Beta DAT as FakeAlert-GA.gen.e. FakeAlert Stinger will also detect and delete this file.

could you please try to run in safe mode and run the fakealert stinger.

Regards,

Nitin

Re: Open Cloud Security malware has hijacked network computer

Is there a new stinger?  I tried this yesterday and it didn't work.  I am a complete newb at this.  Also, what do I do with the .dat file I received after submitting the virus sample?

Message was edited by: moxiesue on 10/4/11 11:42:53 AM CDT
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 19 of 52

Re: Open Cloud Security malware has hijacked network computer

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 20 of 52

Re: Open Cloud Security malware has hijacked network computer

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community