MAC.OSX.Trojan.FakeAlert.M what sort of threat?

Discussion in 'iMac' started by Tim in Scottsdale, Aug 4, 2016.

  1. Tim in Scottsdale macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #1
    Guys

    This crept into my Time Machine external backup drive, a WD 500 gig Passport device, and an erase of that drive failed to delete it.

    How can I get rid of this thing?

    Bitdefender is telling me "unable to quarantine"

    I just bought the external drive a week ago.

    iMac 21.5
     
  2. cynics macrumors G4

    Joined:
    Jan 8, 2012
    #2
    You erased your Passport and its still there?

    Have your tried running MalwareBytes on your system?
     
  3. Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #3
    Yes and yes.

    Malwarebytes doesn't address the external drive.
     
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #4
    I'd say your system is infected by it, so until you remove it from your system drive, you'll not be able to clean it up from the external drive.

    Have you tried using Malwarbytes on your system (with the external drive disconnected), making sure its clean then reconnect the external drive and reformat.

    So in your OP, you mentioned its still on the external drive after a reformat - Just out of curiosity, where does it exist, in the root?
     
  5. Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #5
    Hello


    I have installed Bitdefender, Malwarebytes Sophos and Easyfind.

    I am scanning the iMac hard drive right now with Sophos, and it is taking all night!

    I am not experienced enough to look into the external drive to determine where the bug is hiding; I'll have to get back to you on that.
     
  6. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #6
    Tim,

    MAC.OSX.Trojan.FakeAlert is one name that some security companies use to refer to MacDefender, which is very old malware that has long been extinct. See the following examples on VirusTotal, which some vendors call MAC.OSX.Trojan.FakeAlert, but others call MacDefender.

    https://www.virustotal.com/en/file/...666ef2dcb337ce9fa6cd653c6d2903cef25/analysis/
    https://www.virustotal.com/en/file/...d82cf88733dc4f397c955b1ec8d5f40cde9/analysis/

    For some additional information about MacDefender, see:

    http://www.thesafemac.com/?s=macdefender

    Now, it seems rather unlikely that your backup drive could have a copy of MacDefender in it, unless it's got data in it that is several years old and you once had a copy of MacDefender on your hard drive. Further, it's utterly impossible for any threat to remain on a hard drive after it has been erased (assuming that you erased it using Disk Utility). So, as I see it, there are two possibilities.

    First, it could be a false positive that's triggering on something specific about the Time Machine backup. That would explain why Bitdefender is only finding it on the backup, and why it came back after erasing the drive.

    Second, it could be that Bitdefender is using that name to refer to something that is not MacDefender. (Why they would do such a thing, I don't know... but naming conventions of malware are quite inconsistent.) That could explain how it got back into the backup again. However, I can't say why it would be finding it only in the backup and not on the main hard drive; that doesn't make much sense. For that reason, my money's on the first explanation.
     
  7. Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #7
    Guys

    Not a huge threat to me, this is a phishing 'redirector' to bogus websites looking for credit card info. I have no credit cards!
     
  8. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #8
    Tim,

    Not sure what you're referring to... If you're talking about MacDefender, I wouldn't really classify it as phishing, but yes, essentially the scam was to get you to pay for fake anti-virus software to remove a fake virus from your computer. However, as I said, it's exceedingly unlikely that that is what this actually is.
     
  9. Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
  10. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #10
    Tim,

    ...

    Not sure how that's related. You CANNOT pick up a MacDefender infection at this point, even from a porn site. It's been extinct for a while now.
     
  11. Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #11
    Hello

    I get a lot of "your computer is infected" popups, all of them during porn site visits.
     
  12. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #12
    Tim,

    Pop-ups from Bitdefender, or from the site itself? I'm guessing the latter, since if it was Bitdefender, it wouldn't just be triggering on your Time Machine backups in such situations. If you're getting pop-ups from a website telling you that you're infected, they're scams. Ignore them, and avoid the site that you were on when they appeared.
     
  13. cynics macrumors G4

    Joined:
    Jan 8, 2012
  14. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #14
    There is no such malware.
     
  15. Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #15
    Guys

    I started the Sophos scan last night, and plugged in the external Time Machine drive this morning. The scan took 23! hours, and found 1 threat, but Sophos did not report what threat or what drive it was on, or how Sophos dealt with it, pretty vague. I have to get with those guys and find out how to interpret the scan.
     
  16. Tim in Scottsdale, Aug 6, 2016
    Last edited: Aug 6, 2016

    Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #16
    Guys

    I think I found the files for this virus in a folder called "Resources". The biggest item in there is called "mcshdr.pax.gz" and nothing I tried will delete it. Any ideas for deleting this menace?

    [​IMG]
     
  17. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #17
    Knowing nothing more about that file than the name, it's impossible to say whether it's legit or not. Where is this file, and for what reason have you decided that it's a "virus?"
     
  18. Tim in Scottsdale thread starter macrumors member

    Joined:
    Mar 13, 2016
    Location:
    Scottsdale Arizona
    #18
    Hello

    Bitdefender has labelled it as a threat, and it is proving difficult to erase. It is on my iMac hard drive and on my WD outboard Time Machine backup drive.
     
  19. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #19
    Where specifically on the hard drive is it? I would need to have something like a full path to the file in order to have context.

    Try uploading that file to VirusTotal (www.virustotal.com). What does that say about it?
     

Share This Page