Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

TrojanDownloader nemucod.YW infected INBOX and reoccurs at reboot

  • 5 réponses
  • 3 ont ce problème
  • 3 vues
  • Dernière réponse par Matt

more options

For about a week I have been getting reports from eSet smart security that one of my Thunderbird accounts INBOX is infected with JS/TrojanDownloader.nemucod.yw.trojan plus 8 other "multiple threats". eSet shows these have been quarantined, but they recur with evey reboot. Several other scanner tools (Kaspersky, Malwarebytes, Sophos) show no infection. Is there a method to really find an infection in INBOX and remove it?

For about a week I have been getting reports from eSet smart security that one of my Thunderbird accounts INBOX is infected with JS/TrojanDownloader.nemucod.yw.trojan plus 8 other "multiple threats". eSet shows these have been quarantined, but they recur with evey reboot. Several other scanner tools (Kaspersky, Malwarebytes, Sophos) show no infection. Is there a method to really find an infection in INBOX and remove it?

Toutes les réponses (5)

more options

Is there any real need is perhaps a more pertinent question. Regardless of the potential threat, those Trojans etc and totally inert.

Right click the inbox, select compact and see if that ends the issue.

more options

(1) Compacting did not help. (2) Trojans are not all inert, many make and maintain connections that actively download other malware. (3) recent nemucod variants carry disk encrypting ransonware, and this variant is known to do that. We have not been hit with that but as long as it resides inside a Thunderbird INBOX the potential is there.

more options

<insert all of mhgoodrich's comments>

1) Also look to see if any particular sender(s) is/are sending these messages carrying the trojan(s).

2) if #1 provides such info as sender or a particular mail service is seen to be trending, Consider not only letting tbird /eset teams and other virus detection teams know this info so them may possibly update their lists of bad actors.

more options

We have an open support case with eSet also.

The report from the antivirus only identifies that the Thunderbird INBOX is infected, not granular to a specific email or sender.

more options

mhgoodrich said

(2) Trojans are not all inert, many make and maintain connections that actively download other malware.

Utter rubbish. It is this sort of fear mongering that the anti virus community is guilty of. You can not have an active Trojan or any other executable program in a Thunderbird inbox. It is a text fie that contains text. Open it in notepad and have a look if you doubt me.

What you can have are mime encoded text version of the executable code that can be decoded by Thunderbird into a binary object and will appear in the display of the mail as an attachment. Still totally inert. and the actual decoding into a binary object occurs when you choose to open the attachment.

The attachment can be opened, but first it is written to the temp folder. If EsET is as good as they claim (which I doubt following some recent public tests) then their real time protection will prevent the launch of the program.

As Thunderbird does not allow scripting in it's emails, there is no vector to execute the trojan from a remote location upon opening the mail. The only risk is in remote images and that is remote and turned OFF by default in Thunderbird for that reason.

(3) recent nemucod variants carry disk encrypting ransonware, and this variant is known to do that. We have not been hit with that but as long as it resides inside a Thunderbird INBOX the potential is there.

What concerns we is that the mail with the infected attachment was not deleted by the recipient upon receipt. Why would you keep an email that has an unidentified attachment. The answer of course is you think it is something valuable to you I suppose.

I think the support ticket you need to take away is the need to kee a clean inbox. If you only had 3 emails, working out which was a problem would be simply. See http://kb.mozillazine.org/Keep_it_working_(Thunderbird)