PDA

View Full Version : Windows Trojan in Time Machine Backup



TheTimp
16th July 2013, 02:54 PM
Hi,

One of my windows boxes ran a scan of the NAS drive that Time Machine uses to back up my Mac Book .

It found two Windows Trojans:

Wimad.CE in ...sparsebundle\bands\3e77
and
Winfixer in ...sparsebundle\bands\3fe2

I am pretty sure these are false positives, but as Cult Of Mac was running a special for Intego Virus Barrier etc, I grabbed a copy and scanned the mac. Of course the scan didn't find anything... but i would still like to examine the actual files that Microsoft thinks is a virus.

Any ideas on how to work out what 3e77 and 3fe2 actually are or the folder they are located in???

regards
Timp

bennyling
16th July 2013, 05:53 PM
You'd have better luck examining the files via the machine that performed the scan. Interesting that Windows software can look in sparsebundles, though.

TheTimp
18th July 2013, 04:31 PM
Hi,

I can only see the 3e77 from the Windows box - as per screenshot here:

https://www.dropbox.com/s/fcs38dckhsxtdvd/MsSecurityEssentialsScanResult.JPG

glacierdave
18th July 2013, 06:08 PM
There's not really enough information here to know what's really going on.

* What devices can write data to your NAS?

If the list includes Windows computers, and those Windows computers are infected, then they may be attempting to infect files on your NAS in order to spread.

Potentially, any file you attempt to open on an infected computer can itself become infected depending on the virus.

* What do you back up on your Mac?

You might have downloaded a virus infected file on your Mac and that file has been included in your backup. It might not be active, just a potential threat awaiting the chance to live and spread.

* What else do you do on the NAS?

If you're using your NAS to download stuff, and it picks up an infection that can operate within the OS environment of the NAS then it might have nothing to do with any other device accessing your NAS, albeit an infection nonetheless.

Personally, if nothing else accesses your Mac backups (which is already proven not to be the case) I'd be thinking that, at worst, it's just some virus infected file that you downloaded from somewhere but isn't capable of doing any damage until you run it on a Windows computer.

David

TheTimp
19th July 2013, 03:29 PM
Hi David,

I appreciate your reply. I am hoping its a false positive on behalf of the windows (7) box.

* What devices can write data to your NAS?
Several Windows Desktops, Laptops, a Windows Server and the Macbook

* What do you back up on your Mac?
hmm - TimeMachine I assumed backed up everything..

* What else do you do on the NAS?
Nothing, is simply an extra backup of files, copied to the NAS periodically. Really important stuff goes to the FileServer for backups, them those backups are repeated again on the NAS, less important stuff goes direct to the NAS.

All files apart from the Time Machine files are simply copied with FastCopy, Terra Copy or Sync Toy.

I did a search for the Mac for the file extenion .wma and came up empty, the letters "wma" exists in a few files like the x11 directory..

Its just a pity I cant pinpoint the file(s) that MS is detecting as Tojans so i could inspect them closer..

Regards
Timp