OpenOffice's evil twin
November 24, 2011 3:41 PM   Subscribe

What the heck is, and did this download damage my friend's computer?

My friend just decided to switch to OpenOffice on his Windows 7 laptop. He searched for OpenOffice, and found the website, which I won't link to, but if you go there, it appears to be the home of the OpenOffice project. He downloaded the program, and installed it. It asked him to install various odd things along the way, like the Bing toolbar, and something like "jackpot rewards", but declined to install those extra things - it did claim to be installing OpenOffice, though.

When it finished, and OpenOffice didn't appear to be in fact installed on his computer, he asked me for help, at which point I informed him that the home of the actual OpenOffice project was, not The website appears to be an elaborate deception, designed convincingly to imitate the project. There is no record of anything installed today in the "Programs" part of the Control Panel, and nothing appears to be different about his computer.

Question Part 1: What the heck did my friend put on his computer? Was it some kind of malware? What kind? Is there any way to tell what was installed, remove it, or limit the damage?

Question Part 2: Assuming it is malware, is there some way to get that website taken down? The whole website seems so brazenly fraudulent, it seems like someone should be able to do something about it. Who? How?

posted by Salvor Hardin to Computers & Internet (9 answers total) 2 users marked this as a favorite (from here at least) appears to have download links that go to

(That's the download link for the Windows installer from

So unless there's something I'm missing, it appears to be legit from here.
posted by jferg at 4:10 PM on November 24, 2011

Doing a quick google gave me this which shows people having the same issue (installing Bing toolbar etc), and also after installation not being able to connect to internet (but Linux LIveCD working fine) and other issues.

I would recommend at least a full malware/virus scan with a Linux LiveCD/USB, and pending any issues a rebuild.
posted by Admira at 4:43 PM on November 24, 2011

A Google search for open office fm gives me as a result. The download link on that page is not an official link. If that's where he clicked through to, that's what he got.
posted by WasabiFlux at 4:56 PM on November 24, 2011

It's time to assume that the machine is totally compromised. Go here and follow the instructions.
posted by Chocolate Pickle at 6:13 PM on November 24, 2011

Response by poster: Ok - thanks for the advice. It's painful to go through the trouble of wiping (or trying to disinfect) the computer when it appears fully functional, but I guess it could be gathering and sending personal data to persons unknown, right?
posted by Salvor Hardin at 6:20 PM on November 24, 2011

A lot of malware exists for purposes of hijacking your computer for nefarious purposes, and hides itself and doesn't do anything to cause problems for the owner. In other words, it's there so someone else can use your computer, not so they can fuck you over or spy on you.

For instance, your friend's computer may now be part of a botnet, and could in future be used for spamming or as part of a DDOS.

It could be that the computer isn't compromised. But the way to find that out is by running AntiMalware, and Microsoft Security Essentials, and so on, as described on Deezil's web page. And the computer should be treated as untrustworthy until then.
posted by Chocolate Pickle at 6:53 PM on November 24, 2011

Do have the original install file still? Does its checksum match that listed at this page: ?
posted by pharm at 2:29 AM on November 25, 2011

Having clicked on the download link & looked at the actual URL being downloaded, it does appear to be from an official openoffice mirror site and the md5sums match. A badware site might only serve a trojan horse file to some visitors of course.

Perhaps it's someone's web design demo?
posted by pharm at 2:34 AM on November 25, 2011

The quickest thing would probably to run an md5 against whatever the person downloaded, if it's still around.
posted by rhizome at 12:47 PM on November 25, 2011

« Older Pretty sure she already has one of those...   |   How feasable is a RAIF (Redundant Array of... Newer »
This thread is closed to new comments.