Is Thunderbird downloading trojans to \AppData\Local\Temp\nsmail.tmp?
I'm running Thunderbird on Win 8.1, 64 bit, with Windows Defender and EMET. When I get malicious looking emails (some with attachments) I don't open them, but forward them to us-cert.gov and UCE.GOV reporting email addresses. I am viewing emails in text only mode. I run a virus scan afterwards and a detection has been coming up for trojans in container file C:\Users\<user name>\AppData\Local\Temp\nsmail.tmp, usually with a file extension .scr (as stated in Defender info output). Is a infected file being downloaded to my computer for Thunderbird operations? Is this file benign until opened? I was under the impression that it just forwarded the file from the server. Can anyone advise/explain on this matter? Thank you in advance!
Chosen solution
SCR files are Windows screen savers. The are executable files and run and are treated by Windows exactly the same as a .EXE file.
The only risk they represent to you is if you actually run the attachment (Thunderbird can not do it alone)
The file location is where emails are assembled into an email to be sent. The same location and file name is used for every mail.
There is no point sending this stuff to the US government or anyone else, unless they specifically ask for it. I am sure you have heard of the massive data capture the NSA are doing. They probably already have your email, but more to the point, government and cyber security firms like symantec, kaspersky labs, eset and the more black hat folk are all skimming the data traveling around the internet. That is how they appear to be able to issue a virus definition before you get a sample.
Read this answer in context 👍 1All Replies (4)
I'd expect Thunderbird needs a file on local disk in order to be able to send it as an attachment.
If you want to just forwarded the file from the server, use webmail.
I doubt *forwarding* any spam or malicious message will do any good. If at all, you should preserve the original headers, i.e. send the original message as an attachment.
Thank you christ1. My idea behind the forward was to give authorities a sampling of the malware they could use for investigation... and also to scrub my email addresses out of the header. I'm wondering if there is any harm in this file location Thunderbird uses... downloading a malicious file like it does without activating it? Do you know? Also, Defender says it is a .scr file... is this a file format that is used by Thunderbird? In the settings I have a check mark next to allowing anti-virus to quarantine incoming messages "before they are stored locally"; I'm wondering why this isn't being caught as it happens, instead of me having to scan the AppData\Local\Temp directory? Sorry about the question bombardment but one last one... Is there a setting I could adjust to prevent the local download of forward attachments unless I okay it? Any input is appreciated - thanks.
Chosen Solution
SCR files are Windows screen savers. The are executable files and run and are treated by Windows exactly the same as a .EXE file.
The only risk they represent to you is if you actually run the attachment (Thunderbird can not do it alone)
The file location is where emails are assembled into an email to be sent. The same location and file name is used for every mail.
There is no point sending this stuff to the US government or anyone else, unless they specifically ask for it. I am sure you have heard of the massive data capture the NSA are doing. They probably already have your email, but more to the point, government and cyber security firms like symantec, kaspersky labs, eset and the more black hat folk are all skimming the data traveling around the internet. That is how they appear to be able to issue a virus definition before you get a sample.
Thanks Matt;
That's what I was wondering was if the file needed to be activated to be damaging. I'll still scan this directory, although I don't know why my virus scanner isn't picking it up when Thunderbird downloads to this directory.
Hey, remember the days (90's) when the Internet was a nice benign place to be? Now-a-days the Internet is looking like a dark back alley somewhere, or something out of a horrific science fiction movie. Always have to be vigilant.
Thanks! Have a good weekend!