Trojan:Win32/Occamy.AA

Page 1 of 3 123 LastLast

  1. Posts : 151
    Windows 10 Home, 64-Bit
       #1

    Trojan:Win32/Occamy.AA


    Windows Defender found "Trojan:Win32/Occamy.AA" on my computer.

    It shows
    Alert level: Severe
    Status: Failed

    It was actually found on a virtually mounted .iso file, on the E: drive.

    1. What does Status: Failed mean?
    2. Has it been removed from my machine? I did install the software that the .iso file had, but I uninstalled it afterward with Revo Uninstaller...
    Last edited by Sweetsweetcorn; 26 Jun 2020 at 12:43.
      My Computer


  2. Posts : 161
    Windows 10
       #2

    To be brutally honest with you the message you received means the malware has potentially compromised your system and Windows Security failed to remove it. This happens very often if and when a system is compromised with malware that can successfully evade detection and/or removal. Antivirus evasion is old news these days and it's a feature built into most malware that has been crafted with the intention of doing something well. For malware to do whatever it is doing well it has to first be extremely impervious to interference in any way from security software. I've made quite a few posts talking about this very point and it's unfortunate to see what I said be reinforced by the reality when it happens.

    I'm guessing that the .iso file you mounted could perhaps have been pirated software? It's very rare you'll find genuine and official software coming laden with malware unless there has been a supply chain attack where an attacker basically attacks the very means of getting software out to the masses so to eradicate any risk of having to build trust through techniques like social engineering. Why go to loads of effort trying to fool someone into putting malware on a computer when you can attack the source and guarantee a very high degree of trust from the start? If it is pirated software, and you don't need to comment as to whether it is, ensure that you're doing everything in your power to reduce the risks. Pirated software has always come with risks, the biggest among them the fact that there is very little 'insurance' when you choose to go the black market route.

    Can you upload the .iso to VirusTotal? You'll get a far more comprehensive assessment of what the malware is on there. Individual security software tends to slightly differeniate their names for these things but after the scan you'll be able to see what every known scanner calls this particular threat once it is found. When it has finished uploading if you can upload the screenshot here that will help in determining what to do next. It also help you determine whether it is a false positive or whether it could potentially be a real threat and your computer may have been compromised.
      My Computer


  3. Posts : 1,604
    Win 10 home 20H2 19042.1110
       #3
      My Computers


  4. Posts : 161
    Windows 10
       #4

    I would recommend downloading Autoruns by Sysinternals and then booting into 'Safe Mode with Networking'. Then run Autoruns from the folder you extracted it from and start checking what is scheduled to start when Windows starts and/or at login. Malware aims for persistence after it has compromised the host computer. It does this by creating registry entries, services and pretty much anything else that can and will run and maintain persistence. Persistence is a term to describe the action malware takes when it wants to hang around for the long haul. Registry entries are very common, as are services. You can usually easily spot them and also you'll find they are not verified/signed. Make sure you check for each user, particuarly system users like NT AUTHORITY\SYSTEM etc as these are system users which malware aims to gain access to in order to have complete control over the system. They do this by stealing authentication tokens for that particular user (using fancy tools like Mimikatz) in order to escalate priveleges and then expand access across the system. Lots of what happens on a Windows computer happens way above users like your own, especially those which require extensive priveleges across the entire system and potentially elsewhere such as is the case with domains.

    Alternatively if you could screenshot the results it might be possible to highlight some potentially suspicious files.

    As stated above by Jaycee, a virus scan could suffice. But you're gambling on it being able to first detect it and secondly remove it. It's probably best to know right now though that different AV scanners may have different results. Some malware (especially new variants) are designed to evade particular brands. Over time though with information sharing across the security community all antivirus companies get in the know and update their software. I'm guessing that if Windows Security detected this threat it's been known for quite some time, potentially months or even years. Fortunately this makes it easier to remove as there has been substantial research into dissecting how it works and most importantly what can be done to remove it.

    If you're stuck at any point just reply and I'll try and help out as best I can. I will tell you now that virus scanning and protection is not the best way to go about removing malware. It's clear that already antivirus has failed. This is usually the case when a reasonably solid variant of malware reaches a host computer. I'm hoping a virus scan is sufficient but if not you may have to resort to more drastic methods.
      My Computer


  5. Posts : 151
    Windows 10 Home, 64-Bit
    Thread Starter
       #5

    supermammalego said:
    Can you upload the .iso to VirusTotal? You'll get a far more comprehensive assessment of what the malware is on there. Individual security software tends to slightly differeniate their names for these things but after the scan you'll be able to see what every known scanner calls this particular threat once it is found. When it has finished uploading if you can upload the screenshot here that will help in determining what to do next. It also help you determine whether it is a false positive or whether it could potentially be a real threat and your computer may have been compromised.
    Okay, I will try this. Thank you a lot for your detail and care.

    - - - Updated - - -

    Trojan:Win32/Occamy.AA-vt.png
      My Computer


  6. Posts : 161
    Windows 10
       #6

    There really isn't any need in hiding any text on these pages. In fact by hiding the URL you are preventing other people from being able to access the scan results in real time, which is actually what VirusTotal is there for - so you can visit the scan results, and so the community can share information. VT, or VirusTotal, is probably the most used online virus scanner on the internet and much of the information gathered from it goes to antivirus companies, researchers and experts in the field who then try and make these security products better. And so you have nothing to worry about in sharing this screenshot. It's an open communtiy where everyone shares their scan results all the time.

    Can you share the link of the scan?

    As for the results I don't think at this point you have much to worry about. 4 detections either means the malware is very new and therefore potentially very threatening. Or it's a false positive and the behaviour is being picked up as malicious. A lot of actions can be considered malicious. Copying documents from one folder to another could be considered malicious if your antivirus believes the intentions behind the copying is to encrypt and hold your files to ransom. Certain files can be considered malicious, especially files which are often used in pirating software such as cracks, keygens etc. From the scan it seems like the malicious flag is being triggered by heuristic scanning which works a little differently to old fashioned signature based detection in that it attempts to model behaviour and then determine whether it might be malicious. Lots of malware use typical patterns of behaviour and when antivirus picks this up it often can say with a high degree of confidence it is malware. That being said, this is an image file and malware is often found in all sorts of image files, especially .bin files. Antivirus often struggles to detect malware in image files in comparison to executables.

    If you want to be safe you could rollback to prior to downloading and running whatever it is you ran. You could also see for yourself whether the trojan has gained persistence by running Autoruns by Sysinternals, preferably in Safe Mode with Networking. You can download it here: https://docs.microsoft.com/en-us/sys...loads/autoruns

    If you're unsure what you're looking at if you could screenshot the program once it populated all fields it might be possible to highlight particular files which could potentially be malicious.
      My Computer


  7. Posts : 151
    Windows 10 Home, 64-Bit
    Thread Starter
       #7

    What did the Status: Failed literally mean? Does it mean that the malware failed to work, or that Windows Defender failed to deal with it?

    I did a full drive scan with Malwarebytes and there was no relevant malware found.

    - - - Updated - - -

    If I do a system restore to a point before I installed what was on that .iso, it will likely remove any virus that came from that .iso?

    And doing a system restore will not delete any of my files that I have made/modified since that restore point.. right? Only new programs that I installed or uninstalled?

    - - - Updated - - -

    So I did a system restore. That is not supposed to affect files, however some files that I had deleted before have resurfaced.

    And some folders have sort of resurfaced partially... difficult to explain.

    Is this possibly the working of a virus?
      My Computer


  8. KCR
    Posts : 346
    Windows 10 Home, 64-bit, Version 21H2 (OS Build 19044.1706)
       #8

    Sweetsweetcorn. . . have you ever tried this scan ?


    Trojan:Win32/Occamy.AA-image.png
      My Computers


  9. Posts : 151
    Windows 10 Home, 64-Bit
    Thread Starter
       #9

    KCR said:
    Sweetsweetcorn. . . have you ever tried this scan ?


    Trojan:Win32/Occamy.AA-image.png
    Not sure, but I have been meaning to many times.

    I will do one today. Thanks
      My Computer


  10. Posts : 1,244
    Windows 10 Pro x64 21H2 (Build: 19044.1415)
       #10

    If system has been compromised the only way to return trust is to reformat hard drive and clean reload operating system.

    The only way to absolutely, positively clean a machine from a virus is to completely reformat the machine and reinstall the operating system, updates, applications and data from scratch.
    My computer's infected with a virus, how do I clean it up?
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 20:04.
Find Us




Windows 10 Forums