Is there a way to identify Email infected with Trojan Dropper
Kaspersky found an infection with a Trojan virus. It cleaned it. Multiple "Full Scan" 's afterwards didn't show any infection. Yet my computer kept sending email - I realized it when I got bounced mail (invalid email addresses) for messages that I never sent. After that I specifically scanned my email folders. Kaspersky found a Trojan Dropper. I deleted that email folder, hoping it might solve the problem. But consecutive scans show there is still some type of infection going on even though it is not further specified. I'm at a loss what to do. Since I can't get specific information about which email that is infected, I probably keep downloading it from my ISP.
Is there any way to narrow down which email it actually is that is infected, so that I don't keep downloading it? I usually leave my email on the ISP's servers so that I can log in from multiple locations and have everything available, which makes it so very difficult to narrow down which email is causing the problem.
All Replies (5)
I would challenge your assumption that your computer is sending the mail that is subsequently bounced.
Take a look at the source of a bounced message. There will be a list of servers in its header, showing how it was handed from one server to another. These headers are added in reverse order, so the last one listed will tell you something about the origin of the message. It is almost always associated with an IP address or domain that has no connection whatsoever with any service that you use.
Folders in Thunderbird are stored as files in your file system. Can Kaspersky not tell you which file it suspects?
AV scanners can produce false positives. I'd submit a suspect file to Virus Total or similar and seek a second opinion.
Top of dirty headers of bounce message:
Return-Path: <> Received: from dnvrco-cmimta15 ([107.14.174.244])
by cdptpa-fep15.email.rr.com (InterMail vM.8.04.03.24 201-2389-100-172-20151028) with ESMTP id <20180324175521.NYUM15247.cdptpa-fep15.email.rr.com@dnvrco-cmimta15> for <xxx@roadrunner.com>; Sat, 24 Mar 2018 17:55:21 +0000
Received: from dnvrco-cmomta01.email.rr.com ([107.14.73.225]) by esmtp with ESMTP id zgCieP2xBeGTRznL2egDYK; Sat, 24 Mar 2018 17:52:20 +0000 X-TWC-Reporter: 1972e5fcae4922226388e208c894b558 Date: Sat, 24 Mar 2018 17:52:20 +0000
It is my ISP (twc IP address 107.14.174.244) that identified the message as bouncing. Not much gained there. Also all servers identified have the rr in them, which usually is roadrunner - I have a roadrunner email address. I edited my own email address to read xxx@roadrunner.com in the copy/paste above. I did already open a ticket with Kaspersky and sent them copies of the scan reports. The folder it identified as containing the problem was the inbox folder, which I deleted 2x already, but it comes back telling me that there is a non-disinfected 'object file'. I'm having a hard time thinking that this could be a false positive after the problems I had and after I'm receiving for 3 days those bounce messages. Before the first deletion it told me exactly the name, Trojan-Dropper.MSword.Agent.oy ever since it only calls it 'object file'.
This is the information it gave me upon originally detecting the Trojan:
24.03.2018 14.15.35 Detected object (file) deleted C:\Users\xxx\AppData\Roaming\Thunderbird\Profiles\doky5bdl.default\ImapMail\mail.twc.com\INBOX//[From <postmaster@usps.gov>][Date 3 Nov 2016 09:36:07][Subj Undeliverable: sundowner.com pay fax]/message/[From xxx <xxx@roadrunner.com>][Date 3 Nov 2016 14:32:17][Subj sundowner.com pay fax]/billing_fax_144060.doc//form.o.murrion File: C:\Users\xxx\AppData\Roaming\Thunderbird\Profiles\doky5bdl.default\ImapMail\mail.twc.com\INBOX//[From <postmaster@usps.gov>][Date 3 Nov 2016 09:36:07][Subj Undeliverable: sundowner.com pay fax]/message/[From xxx <xxx@roadrunner.com>][Date 3 Nov 2016 14:32:17][Subj sundowner.com pay fax]/billing_fax_144060.doc//form.o.murrion Object name: Trojan-Dropper.MSWord.Agent.oy Object type: Trojan program Time: 3/24/2018 2:15 PM
I again replaced my name with 'xxx' in the above copy/paste from the Kaspersky report. I'm having difficulties understanding it. I never sent any faxes through this computer. Also look at the date, 2016? I would understand this as a response from the local postmaster in response to an attempt by me to sent a fax from this computer, which I've never done. Also it would indicate that the postmaster sent the virus to me? Unless I'm completely misreading this. When I looked at www.sundowner.com, it's the website for a motel in Silicon valley where I've never been.
Thanks for your help.
Pia
Has it occurred to you that if a mail contains malware it is not important!
That is does not execute is important, but it's presence. is not. Thunderbird stores messages as text. Textis not executable. Thunderbird allows no scripting in email messages, so any embedded scripts do not run. The primary vector for infection are attachments. Unless you open them they do not exist, they are also just a text stream. So this malware can only get into your system if you open an infected attachment, and then only if your anti virus allows the file to be saved to the tmp folder and opened. If it does allow that you need a new anti virus product.
It is for this reason we discourage any email scanning of the Thunderbird mail store. The mail is fine and safe where it is. I can not say that for sure after your anti virus product has somehow excised a single email from a large store (a single file per folder is used) without updating the index of mail in the folder. At the very least, right click your account in the folder pane and select properties and then repair to ensure the lists displayed in Thunderbird reflect the mail that is actually on your hard disk.
I'm not sure you understand the nature of my problem. It appears that I get repeatedly re-infected. I've got everything updated that I can update, I've got everything set to as tight a security that I possibly can. I'm talking to the Kaspersky Customer Support to figure out what is going in. One thing that is a possibility is that email comes in and re-infects me. Since I'm watching like a hawk the 'new' messages that are coming in the 'other' line of inquiry is the potential that emails that are on the server of my ISP and will get re-downloaded contain the infection. If I can figure out which email it is that causes such infection I will delete it on my ISP's server (through the webmail) before it re-hits my computer. Hence the question: Is there a way to identify the email that might contain the infection, resp. the email to which Kasperksy gave me the 'detect' message upon scanning the IMAP folder.
I'm fully aware that a virus will only be installed if an executable gets executed (and only then).
Sidiana said
I'm not sure you understand the nature of my problem. It appears that I get repeatedly re-infected.
Define infected. just because you anti virus whistles and the bells ring does not mean infection.
I would suggest you enable the allow anti virus programs to scan incoming mail in options and let kaspersky do whatever it is it wants to do before the mail gets to Thunderbird. Then you will not have to find the mail. B aware Thunderbird will complain about missing files if your anti virus deleted the mail using that option.