1 2 Previous Next 14 Replies Latest reply on May 23, 2011 7:52 AM by exbrit

    Downloader-BCS Trojan

      After carrying out a full scan the Downloader-BCS trojan was reported and quarantined.

       

      This was shown in the quarantine tab, but on rechecking before posting this I see that the entry has disappeared.

      Why did it disappear?  I had just run a Quick Scan which found nothing; did this clear the quarantine file?

       

       

      Can I assume that it has it really been detected and removed?

       

      Would it have been safe to leave this in quarantine?

       

      If not how could I have removed it?

       

       

      More to the point, however, as I have Real-Time Scanning turned on, why didn't this spot the trojan in the first place?   Why was it only spotted after a full scan?

       

      Finally, was it perhaps some form of false positive?

        • 1. Re: Downloader-BCS Trojan
          exbrit

          Strange that it would disappear from the Quarantine folder without you actually deleting it from there.  Once a file is quarantined it is no longer harmful so there is no need to worry.

           

          Just to double check make sure we are talking the same Quarantine folder.

           

          Double-click the taskbar icon to open SecurityCenter

          Click Navigation (top right)

          Click Quarantined and Trusted Items lower down that list below

          Click any of the 3 'drawers' to expand

          It should snhow there until you either delete, restore or report it to McAfee for further checking.  (That latter action doesn't always work, depending on who is your ISP).

           

          A full scan checks everything, everywhere, while the real-time scanner only looks for active files.

           

          It's described here: http://vil.nai.com/vil/content/v_142494.htm

           

          There is also the off-chance that it was a false alarm.

           


           

          Message was edited by: Ex_Brit on 21/05/11 12:38:08 EDT PM
          • 2. Re: Downloader-BCS Trojan

            Yes, exactly the same folder.   The entry was there, in the top drawer, in fact.  I checked it and also checked the 'Remove' information tab.

             

            I later carried out a Quick scan and after that the folder was empty.  I can understand why the quick scan may not see everything, obviously, but I cannot understand why that would have any effect on the contents of a quarantine folder.

             

            I'll carry out another full scan and check if anything is found.   Incidentally there was some information somewhere that I found that seemed to imply that the latest DAT files and engine can automatically clear this trojan.

            • 3. Re: Downloader-BCS Trojan

              Just completed a Full scan which comes back clean.

               

              All Quarantine drawers are empty now.  It looks likely that this was a false positive after all.

               

              Message was edited by: alanrf on 22/05/11 12:03:03 GMT
              • 4. Re: Downloader-BCS Trojan
                exbrit

                Ah well I guess you can relax for a while then, all the best.  ;-)

                 

                That is puzzling though seeing an item in Quarantine that erases itself.    Maybe VirusScan changed its mind?

                 

                If that is possible.   I'm beginning to think anything is possible lately.

                 


                 

                Message was edited by: Ex_Brit on 22/05/11 8:11:50 EDT AM
                • 5. Re: Downloader-BCS Trojan

                  Thanks for your responses.

                   

                   

                  Best wishes

                  • 6. Re: Downloader-BCS Trojan
                    exbrit

                    You're welcome.

                    • 7. Re: Downloader-BCS Trojan
                      Hayton

                      Downloader.BCS has been around for years but is still going. McAfee has had a detection for it since 2007 - see http://vil.nai.com/vil/content/v_142494.htm

                       

                      Someone reported a McAfee detection of this recently at techsupportforum.com but does not say if it disappeared from quarantine :

                      Well for the first time in SUCH a long time, McAfee picked up a virus/Trojan. The Trojan was "downloader-bcs". And when McAfee picked it up, it was quarantined immediately (well I hope it was immediately LOL).

                       

                      Rather alarmingly, there was a recent post in these forums (which went unanswered, unfortunately) also reporting that this Trojan was somehow missed by McAfee real-time scanning; so there is an infection method which is allowing the malware to be installed. The poster reports other malware picked up by a Full Scan :

                      I am running Windows 7 Home Premium 64-bit version with Internet Explorer 8 and automatic updates and user access control enabled. On 4/22, a manual full scan byMcAfee Security Center found Downloader-BCS in:

                      C:\Users\Root\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\4020c329-42881d4 5

                       

                      Subsequently, a manual full scan by Microsoft Safety Scanner also found TrojanDownloader:Java/OpenConnection.HH in

                      C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\101ce06f-29 fa12b7->cpak/Crimepack.class

                       

                      as well as Exploit:Java/CVE-2010-0840.AJ in

                      C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\2c8be69b-49 027819->am/hodar.class.

                       

                      Edit : I should have read the original post more closely. It says the Downloader was found after a Full Scan but does not mention any other malware. So another Full Scan (as originally advised) may not be necessary.

                       

                      Message was edited by: Hayton on 22/05/11 15:58:51 IST
                      • 8. Re: Downloader-BCS Trojan

                        Yes, a second full scan came back clean, but the original  report also referred to the C:\Users\[username]\AppData\LocalLow\Sun\Java\Deployment\cache location.

                         

                         

                        I still wonder if it was some form of false positive.  I recall coming across something similar some years ago with some Epson software, which was reported as a virus.  I checked this out and reran the scan, (not McAfee), a few days later and it had 'disappeared'.

                         

                        One would hope that McAfee is capable of dealing with an old established piece of malware, but you do occasionally see rather disparaging comments in the computer press about McAfee cabilities. 

                         

                        There again, I suppose no product is perfect; certainly with a competitor product I experienced all  sorts of odd issues, not least, and the final straw for me, was the disabling of all internet connection on one computer.  Instant solution was to dump it and use a different product.

                        • 9. Re: Downloader-BCS Trojan
                          Hayton

                          It may not be a false positive. The Java Exploit the other poster referred to can occur if the latest Java updates haven't been installed - see this Microsoft Malware Protection Center page for details. It gets installed because of a known (and patched) Java vulnerability, CVE-2010-0840.

                          When a user visits a website that contains the class using a computer that has a vulnerable version of Sun Java, security checks may be bypassed, allowing arbitrary code to be executed.

                          Symptoms

                          Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.
                          1 2 Previous Next