I have a new Windows 11 computer and I have been using Thunderbird on previous computers for more years than I care to admit, pretty much since its inception.
Yesterday… (pročitajte više)
I have a new Windows 11 computer and I have been using Thunderbird on previous computers for more years than I care to admit, pretty much since its inception.
Yesterday I received an expected email with several PDF files attached. One by one I opened them and printed the files then, at a certain point I had Windows Defender pop up a warning for a Tojan "Wacatac". In quick succession after that it popped up more warnings for "Wacatac" and "Oneeva".
I immediately closed Thunderbird and ran Defender to remove the threats, which it seemed to do and then gave a clear scan.
Following this I opened Thunderbird again and If I tried to open nearly any attachment the system started working very hard and Thunderbird gave a "Not responding" message. Also at one point I noted that Thunderbird reported that it was downloading messages even though there were no new messages.
At is time I started to get a huge number of warning messages with more malware than I bothered to record but I noticed a downloaded and various advertising or redirection malware.
I then detached all of the PDF files in the suspect email and scanned them separately - they did not result in any infection. I then deleted the email in question. My assumption was that the files themselves were downloaded directly from the server and that perhaps the infected file was somehow concealed.
I noted that all of the infected files reported by Defender where in a profile inbox folder for my IMAP server. This is normally a hidden folder so I had to turn on viewing of hidden files and folders in Windows Explorer. I reasoned that since I was using IMAP and hoped that the files on my email server were not infected (except the mail that I had deleted) I could safely delete the entire inbox folder and let Thunderbird re-build it the next time I used it.
For precaution I also downloaded and installed the latest version of Thunderbird over my existing installation.
All this was a bit intuitive as I had no idea how or if it would work.
I am pleased to say that the combination of deleting the suspected infected mail, deleting the IMAP inbox folder, and reinstalling TB over the existing installation seems to have resolved the problem. When I restarted Thunderbird it re-created the profile folder that I had deleted and I was able to open various attachments without encountering the problem. Logically it seems that I may have been correct that the Trojan was hidden amongst the attachments in the suspect email and I have reported to to the sender.
I will now have to be very careful of any signs that I may have had theft of passwords. Fortunately most important sites use 2 step security. I really don't want to have to find and change all my passwords :(
Any comments would be gratefully accepted, though I do seem to have resolved the problem myself.