File in root photo.scr

Nick_66 · February 10, 2017, 4:16pm

Hi all,

I hope to get some answers from some WD MyCloud users for the following issue I am having on my MyCloud EX2 Ultra.

In the root there is a file named photo.scr. When I scan it with Avast it seems to be a virus. When I delete it, it keeps coming back. I don’t trust it.

I already have installed Anti-Virus Essentails on my NAS but this Antivirus programm doesn’t detect it as a virus.

Would appreciate the help!

ADAM_81 · February 10, 2017, 10:50pm

Hi Nick,

I also have the same issue as you photo.scr virus Trojan found on mycloud… keeps on coming back everytime i scan it and delete. If you have a solution already please share.

My only solution I can think of is reformat the entire MyCloud and start fresh but i doubt it will stop that trojan from coming back.

THanks
ADam

Nick_66 · February 11, 2017, 12:56pm

Hi Adam,

I am sorry, but I don’t have a solution for this problem. Strange that you also have the same issue I’m having. Have you already contacted WD about this? I’ve read that the support of WD is terrible.

Find it also odd that there is almost nothing to find about this.

thexchange · February 12, 2017, 3:34am

When you say root, what exactly do you mean? As in… the root of the entire system in SSH, or just the visible root of your hard drives or folders? Was it found in the Public folder, for example?

This was in the news some few months ago, and you are correct: it could be malware. You could do a search in Google for the PCWorld article, on cryptomining malware in Seagate NAS. Your EX2 should not be having the same problems but, and I’m speculating here, it is possible your ftp or other online accounts may have been compromised because of weak passwords. What does Avast identify the file as? You could probably check with Avast for help too. PS: the Antivirus Essentials app has never been helpful, it just hangs on my NAS, lol.

Removal might be possible if the infection is found on the hard drives themselves. The infected file would probably be hidden somewhere in the Nas_Progs folder and executed on every reboot with a startup script, I think. You could try removing all third party apps and their folders first, to minimize the areas where the malware could hide, or only as a last resort, you could do a full format of the drives + a fresh firmware update, just to be safe. However, if the attacker has your SSH login, then the malware could be hidden elsewhere.

It is also possible that your own computer might be infected, and it could be uploading the file automatically to your NAS each time you connect to it, so please do a check on your system too. Check the timestamp to see when the file was created, modified, etc… which would give you clues as to when it gets replaced on your hard drive, perhaps after a reboot etc. Meanwhile, try to delete the file and lock down all external internet access for the time being… no SSH, no FTP, no MyCloud… change your passwords, adjust the port forwarding settings on your router, and see if the problem still occurs. If all else fails, try contacting support again or get a knowledgeable friend to help.

Nick_66 · February 17, 2017, 8:59pm

I the visible root of the hard drives.

I have disabled ftp on my NAS and the file photo.scr did not appear anymore. Changed all the passwords for all users to be sure.

If my NAS is so vulnerable through a ftp connection, does it mean that I could better disable ftp?

KVH · June 13, 2021, 10:58am

Hi, this is the only (old) tread I can find on this subject. I still have this issue with my EX2ultra (OS5) nowadays.
The files do not seem to hurt me and only appearing on my ‘public’ folder but I cannot find a solution to prevent this and the files keep coming back. I need FTP / port forwarding activated on my NAS.
Anyone a solution or tip on this?

Joerg70 · October 29, 2022, 4:37am

Hi @KVH ,
I have the same issue.
Did you find a solution how to identify from which process the files are placed on the hard drive?

Regards,
Joerg

KVH · October 29, 2022, 10:05am

Hi Joerg, nowadays I get the file ‘info.zip’ in my public folders. no idea where they come from but I remove them manually or by a virus scanner. It is very annoying and no real solution is available yet. It does seem a security issue that should be handled by WD

KVH · October 29, 2022, 11:08am

well, yes they come from the FTP side, but I need FTP to upload files.
the thing is that they only appear in the ‘public’ folder. Obviously FTP is not safe enough in general or on the WD device.