What precautions to take after a trojan Win32/Occamy.C infection

First of all I applaud this:

I nuked the windows installation by formatting the disks.

Most people will try to wiggle their way out of it. And of course even this method isn't 100% secure, given bootkits and UEFI-based malware. But it's the best thing you can do. Although it's even better to have a recent backup handy from before you know you compromised the machine 😉.

Next would be a question back at you: did you start the program elevated? The possible attack surface is much more limited if you didn't, as long as we ignore the possibility of vulnerable software on your system which might have allowed for privilege escalation.

If you did not run it elevated, there is a good chance that for some of the items below the risk is vastly lower than I assumed (because: assume the worst).

Right now what I would like to know is to what extent I should be concerned about my passwords being leaked, because I don't know if these are stored safely on the computer when the computer is compromised.

Unless you or someone you trust goes the extra mile of performing a comprehensive (not necessarily exhaustive) manual analysis on the sample in question, assume the worst.

The windows account password

There are potentially ways of getting to the hash of it. But it would be a rather involved attack. Still: change it.

• Various game stores passwords (e.g. steam, origin, uplay, epic games, gog)
• Some (uninportant) passwords stored inside Chrome Wallet
• The chrome/google password

I am not sure for all of them, but most of those seem to use the the Windows credential manager (never heard of Chrome Wallet, but I avoid Chrome browser). Last time I checked, Chrome used the Windows credential manager on Windows. So yes, they could potentially be extracted as long as you are logged on as yourself and the malware gets to run as your user. Under the hood it uses the DPAPI or its newer cousin DPAPI-NG.

Again: assume the worst, change them.

Notice that I didn't type any password from the moment I get infected and the moment I turned off the PC.

Typing the password would only make a difference if there was some sort of key logger (or clipboard sniffer, if we take the clipboard also into account).

(Also, I have double-step verification enabled whenever it is supported.)

But - and that's a very crucial point - have you also used different credentials for different services? Because it won't help you to have MFA on one service, if you reused the password on another service which doesn't even offer MFA.

However, some of these apps remember the account and automatically authenticate at login.

Commonly it would be done through the DPAPI/DPAPI-NG, unless the application implements its own scheme.

Q: Should I change all the passwords?

Just like you nuked your disks, you know the answer to this one already. Yes.

Q: To what extend I should be concerned about chrome history being leaked?

Realistically I don't think it was. But yet again: assume the worst.

There was a comment on your question:

I wouldn't take my word for it, but if it's some dodgy crack for a game, the fact that half the results show different 'positives' & the other half show it as clean makes it something in the code that shares similarities with known viruses, but probably isn't one. Lots of cracks show up like that. Though, as I said, it's not absolute proof either way.

This is a fair point. But given you are even worried about your Chrome history, I'd say this is a chance you don't want to take here.

And one other point that should not be forgotten is that there are tons of cracks out there that contain more than you bargained for when you downloaded them. That is: some will contain actual malware in addition to the purported crack (if you're lucky). A classic example of where the trojan horse classification originates.

Generally "infection" and "virus" are the wrong terminology in conjunction with a trojan horse type malware. I know oftentimes laypeople will conflate all malware types as "virus", probably owed to the fact that AV (antivirus) products call themselves mostly that and rarely anti-malware.

It should also be added that despite several initiatives the anti-malware industry has not managed to come up with a unified naming scheme. Even the malware categorization isn't unified (virus, worm, trojan horse - often shortened to "trojan" - or PUA etc.). The only thing detection names generally are useful for these days is to see which AV engine runs under the hood of a product, if you're lucky.

However, there does not appear to be a consensus on how this trojan operates.

Having worked in the industry for ~15 years, I would never even trust the categorization as trojan horse in the first place. For malware there's no "hope for the best, but prepare for the worst". For malware the motto is always: "assume the worst, until proven otherwise"

The sheer amount of malware influx these days makes it nigh impossible to analyze all but a fraction of them closely. And more closely probably doesn't even cover manual analysis but just some more advanced tooling than the "cheap stuff".

Oftentimes the industry uses sandboxed environments for some automated or semi-automated initial analysis. The initial assessment by the sandbox will generally provide some value which will be used as weighted input for the overall assessment. And then there will probably be some scanning with other vendors' scanners (yes, there is an exchange of tools and samples among some) either directly on-prem or by turning to the paid services of VirusTotal (who will also share samples across the industry). Out of that we will again get a value which may be weighted by AV vendor, for example. There will potentially be more steps, even including manual inspection of the sample. However, only really interesting samples will receive an extensive manual analysis, because it's a tedious and time-consuming process.

Different vendors will probably perform these steps in some given order which may diverge from the one I gave above. At any one step the threshold to call something potentially unwanted (PUA, hacktool ...) or outright malicious may be reached and the sample will be taken into detection. Often it will then be attempted to cluster it with known samples, based on the statically (i.e. without running it) observable traits and those traits observed during the sandbox run.

Few samples receive full manual analysis. Most of the time this will be done for samples that use interesting/new techniques or were received from high profile cases (e.g. journalist or government machine got infected). And even this sort of analysis will often not be comprehensive but focus on the obviously interesting parts.

This should also explain why - when looking the names up - you usually get a generic description with generic advice at best. All the "cool" analyzed malware will already have been featured on some blog post by the time 😉. And the fact that laypeople surmise that a given example exhibits one or the other behavior should definitely be taken into account by any cautious malware researcher, but it can't be trusted.

Even worse when you state the malware is Win32/Occamy.C while Defender (currently!) reports it as Trojan:Win32/Occamy.CB6. This conflates it with other (possibly unrelated) samples like Trojan:Win32/Occamy.C82. I am looking at the latter and had a superficial look at your sample. Yes, it has some network functionality, but for a cheat program this may even have to do with the target game. But your sample really seems to have nothing to do with mine. For starters yours carries all indicators of using Simplified Chinese throughout, whereas mine uses English (US) throughout. But mine doubles as a command line program and Windows service used to inject DLLs into other programs with the help of a commercial kernel mode driver, whereas yours is a GUI program. Your sample is more than four times the size of mine. Specifically it seems to be a statically linked MFC program, which even embeds libpng (which implies zlib). So this explains part the bloat of your sample. No idea how they fit into the same "Occamy" family.

Related videos on Youtube

08 : 36

How to Remove a Trojan/Virus/Miner (Windows)

SensorsTechForum

374

07 : 22

How to Remove Trojan Virus from Windows?

MalwareFox

289

10 : 14

How to Remove Viruses From Your Computer

Chris Titus Tech

1

04 : 20

Mã độc trên Windows - Phần 21: Trojan.Win32.Alerta

Windows2704

1

10 : 48

How to Remove ANY Virus from Windows 10 in ONE STEP in 2021

Nico Knows Tech

1

Author by

Lara Froner

Updated on September 18, 2022