File in root photo.scr

Hi all,

I hope to get some answers from some WD MyCloud users for the following issue I am having on my MyCloud EX2 Ultra.

In the root there is a file named photo.scr. When I scan it with Avast it seems to be a virus. When I delete it, it keeps coming back. I don’t trust it.

I already have installed Anti-Virus Essentails on my NAS but this Antivirus programm doesn’t detect it as a virus.

Would appreciate the help!

Hi Nick,

I also have the same issue as you photo.scr virus Trojan found on mycloud… keeps on coming back everytime i scan it and delete. If you have a solution already please share.

My only solution I can think of is reformat the entire MyCloud and start fresh but i doubt it will stop that trojan from coming back.

THanks
ADam

Hi Adam,

I am sorry, but I don’t have a solution for this problem. Strange that you also have the same issue I’m having. Have you already contacted WD about this? I’ve read that the support of WD is terrible.

Find it also odd that there is almost nothing to find about this.

When you say root, what exactly do you mean? As in… the root of the entire system in SSH, or just the visible root of your hard drives or folders? Was it found in the Public folder, for example?

This was in the news some few months ago, and you are correct: it could be malware. You could do a search in Google for the PCWorld article, on cryptomining malware in Seagate NAS. Your EX2 should not be having the same problems but, and I’m speculating here, it is possible your ftp or other online accounts may have been compromised because of weak passwords. What does Avast identify the file as? You could probably check with Avast for help too. PS: the Antivirus Essentials app has never been helpful, it just hangs on my NAS, lol.

Removal might be possible if the infection is found on the hard drives themselves. The infected file would probably be hidden somewhere in the Nas_Progs folder and executed on every reboot with a startup script, I think. You could try removing all third party apps and their folders first, to minimize the areas where the malware could hide, or only as a last resort, you could do a full format of the drives + a fresh firmware update, just to be safe. However, if the attacker has your SSH login, then the malware could be hidden elsewhere.

It is also possible that your own computer might be infected, and it could be uploading the file automatically to your NAS each time you connect to it, so please do a check on your system too. Check the timestamp to see when the file was created, modified, etc… which would give you clues as to when it gets replaced on your hard drive, perhaps after a reboot etc. Meanwhile, try to delete the file and lock down all external internet access for the time being… no SSH, no FTP, no MyCloud… change your passwords, adjust the port forwarding settings on your router, and see if the problem still occurs. If all else fails, try contacting support again or get a knowledgeable friend to help.

I the visible root of the hard drives.

I have disabled ftp on my NAS and the file photo.scr did not appear anymore. Changed all the passwords for all users to be sure.

If my NAS is so vulnerable through a ftp connection, does it mean that I could better disable ftp?