×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
alanrf
Contributor III
Message 1 of 15

Downloader-BCS Trojan

Jump to solution

After carrying out a full scan the Downloader-BCS trojan was reported and quarantined.

This was shown in the quarantine tab, but on rechecking before posting this I see that the entry has disappeared.

Why did it disappear?  I had just run a Quick Scan which found nothing; did this clear the quarantine file?

Can I assume that it has it really been detected and removed?

Would it have been safe to leave this in quarantine?

If not how could I have removed it?

More to the point, however, as I have Real-Time Scanning turned on, why didn't this spot the trojan in the first place?   Why was it only spotted after a full scan?

Finally, was it perhaps some form of false positive?

1 Solution

Accepted Solutions
alanrf
Contributor III
Message 4 of 15

Re: Downloader-BCS Trojan

Jump to solution

Just completed a Full scan which comes back clean.

All Quarantine drawers are empty now.  It looks likely that this was a false positive after all.

Message was edited by: alanrf on 22/05/11 12:03:03 GMT

View solution in original post

14 Replies
exbrit
MVP
MVP
Message 2 of 15

Re: Downloader-BCS Trojan

Jump to solution

Strange that it would disappear from the Quarantine folder without you actually deleting it from there.  Once a file is quarantined it is no longer harmful so there is no need to worry.

Just to double check make sure we are talking the same Quarantine folder.

Double-click the taskbar icon to open SecurityCenter

Click Navigation (top right)

Click Quarantined and Trusted Items lower down that list below

Click any of the 3 'drawers' to expand

It should snhow there until you either delete, restore or report it to McAfee for further checking.  (That latter action doesn't always work, depending on who is your ISP).

A full scan checks everything, everywhere, while the real-time scanner only looks for active files.

It's described here: http://vil.nai.com/vil/content/v_142494.htm

There is also the off-chance that it was a false alarm.


Message was edited by: Ex_Brit on 21/05/11 12:38:08 EDT PM
alanrf
Contributor III
Message 3 of 15

Re: Downloader-BCS Trojan

Jump to solution

Yes, exactly the same folder.   The entry was there, in the top drawer, in fact.  I checked it and also checked the 'Remove' information tab.

I later carried out a Quick scan and after that the folder was empty.  I can understand why the quick scan may not see everything, obviously, but I cannot understand why that would have any effect on the contents of a quarantine folder.

I'll carry out another full scan and check if anything is found.   Incidentally there was some information somewhere that I found that seemed to imply that the latest DAT files and engine can automatically clear this trojan.

alanrf
Contributor III
Message 4 of 15

Re: Downloader-BCS Trojan

Jump to solution

Just completed a Full scan which comes back clean.

All Quarantine drawers are empty now.  It looks likely that this was a false positive after all.

Message was edited by: alanrf on 22/05/11 12:03:03 GMT
exbrit
MVP
MVP
Message 5 of 15

Re: Downloader-BCS Trojan

Jump to solution

Ah well I guess you can relax for a while then, all the best.  😉

That is puzzling though seeing an item in Quarantine that erases itself.    Maybe VirusScan changed its mind?

If that is possible.   I'm beginning to think anything is possible lately.


Message was edited by: Ex_Brit on 22/05/11 8:11:50 EDT AM
alanrf
Contributor III
Message 6 of 15

Re: Downloader-BCS Trojan

Jump to solution

Thanks for your responses.

Best wishes

exbrit
MVP
MVP
Message 7 of 15

Re: Downloader-BCS Trojan

Jump to solution

You're welcome.

Hayton
Reliable Contributor
Reliable Contributor
Message 8 of 15

Re: Downloader-BCS Trojan

Jump to solution

Downloader.BCS has been around for years but is still going. McAfee has had a detection for it since 2007 - see http://vil.nai.com/vil/content/v_142494.htm

Someone reported a McAfee detection of this recently at techsupportforum.com but does not say if it disappeared from quarantine :

Well for the first time in SUCH a long time, McAfee picked up a virus/Trojan. The Trojan was "downloader-bcs". And when McAfee picked it up, it was quarantined immediately (well I hope it was immediately LOL).

Rather alarmingly, there was a recent post in these forums (which went unanswered, unfortunately) also reporting that this Trojan was somehow missed by McAfee real-time scanning; so there is an infection method which is allowing the malware to be installed. The poster reports other malware picked up by a Full Scan :

I am running Windows 7 Home Premium 64-bit version with Internet Explorer 8 and automatic updates and user access control enabled. On 4/22, a manual full scan byMcAfee Security Center found Downloader-BCS in:

C:\Users\Root\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\4020c329-42881d4 5

Subsequently, a manual full scan by Microsoft Safety Scanner also found TrojanDownloader:Java/OpenConnection.HH in

C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\101ce06f-29 fa12b7->cpak/Crimepack.class

as well as Exploit:Java/CVE-2010-0840.AJ in

C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\2c8be69b-49 027819->am/hodar.class.

Edit : I should have read the original post more closely. It says the Downloader was found after a Full Scan but does not mention any other malware. So another Full Scan (as originally advised) may not be necessary.

Message was edited by: Hayton on 22/05/11 15:58:51 IST
alanrf
Contributor III
Message 9 of 15

Re: Downloader-BCS Trojan

Jump to solution

Yes, a second full scan came back clean, but the original  report also referred to the C:\Users\[username]\AppData\LocalLow\Sun\Java\Deployment\cache location.

I still wonder if it was some form of false positive.  I recall coming across something similar some years ago with some Epson software, which was reported as a virus.  I checked this out and reran the scan, (not McAfee), a few days later and it had 'disappeared'.

One would hope that McAfee is capable of dealing with an old established piece of malware, but you do occasionally see rather disparaging comments in the computer press about McAfee cabilities. 

There again, I suppose no product is perfect; certainly with a competitor product I experienced all  sorts of odd issues, not least, and the final straw for me, was the disabling of all internet connection on one computer.  Instant solution was to dump it and use a different product.

Hayton
Reliable Contributor
Reliable Contributor
Message 10 of 15

Re: Downloader-BCS Trojan

Jump to solution

It may not be a false positive. The Java Exploit the other poster referred to can occur if the latest Java updates haven't been installed - see this Microsoft Malware Protection Center page for details. It gets installed because of a known (and patched) Java vulnerability, CVE-2010-0840.

When a user visits a website that contains the class using a computer that has a vulnerable version of Sun Java, security checks may be bypassed, allowing arbitrary code to be executed.

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.
How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community