Avatar for Username

Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Learn More

Эта тема была архивирована. Если вам нужна помощь, задайте новый вопрос.

Trojan infection on IMAP

  • 2 ответа
  • 2 имеют эту проблему
  • 9 просмотров
  • Последний ответ от Gambalunga

Gambalunga
Gambalunga
more options

I have a new Windows 11 computer and I have been using Thunderbird on previous computers for more years than I care to admit, pretty much since its inception.

Yesterday I received an expected email with several PDF files attached. One by one I opened them and printed the files then, at a certain point I had Windows Defender pop up a warning for a Tojan "Wacatac". In quick succession after that it popped up more warnings for "Wacatac" and "Oneeva".

I immediately closed Thunderbird and ran Defender to remove the threats, which it seemed to do and then gave a clear scan.

Following this I opened Thunderbird again and If I tried to open nearly any attachment the system started working very hard and Thunderbird gave a "Not responding" message. Also at one point I noted that Thunderbird reported that it was downloading messages even though there were no new messages.

At is time I started to get a huge number of warning messages with more malware than I bothered to record but I noticed a downloaded and various advertising or redirection malware.

I then detached all of the PDF files in the suspect email and scanned them separately - they did not result in any infection. I then deleted the email in question. My assumption was that the files themselves were downloaded directly from the server and that perhaps the infected file was somehow concealed.

I noted that all of the infected files reported by Defender where in a profile inbox folder for my IMAP server. This is normally a hidden folder so I had to turn on viewing of hidden files and folders in Windows Explorer. I reasoned that since I was using IMAP and hoped that the files on my email server were not infected (except the mail that I had deleted) I could safely delete the entire inbox folder and let Thunderbird re-build it the next time I used it.

For precaution I also downloaded and installed the latest version of Thunderbird over my existing installation.

All this was a bit intuitive as I had no idea how or if it would work.

I am pleased to say that the combination of deleting the suspected infected mail, deleting the IMAP inbox folder, and reinstalling TB over the existing installation seems to have resolved the problem. When I restarted Thunderbird it re-created the profile folder that I had deleted and I was able to open various attachments without encountering the problem. Logically it seems that I may have been correct that the Trojan was hidden amongst the attachments in the suspect email and I have reported to to the sender.

I will now have to be very careful of any signs that I may have had theft of passwords. Fortunately most important sites use 2 step security. I really don't want to have to find and change all my passwords :(

Any comments would be gratefully accepted, though I do seem to have resolved the problem myself.

I have a new Windows 11 computer and I have been using Thunderbird on previous computers for more years than I care to admit, pretty much since its inception. Yesterday I received an expected email with several PDF files attached. One by one I opened them and printed the files then, at a certain point I had Windows Defender pop up a warning for a Tojan "Wacatac". In quick succession after that it popped up more warnings for "Wacatac" and "Oneeva". I immediately closed Thunderbird and ran Defender to remove the threats, which it seemed to do and then gave a clear scan. Following this I opened Thunderbird again and If I tried to open nearly any attachment the system started working very hard and Thunderbird gave a "Not responding" message. Also at one point I noted that Thunderbird reported that it was downloading messages even though there were no new messages. At is time I started to get a huge number of warning messages with more malware than I bothered to record but I noticed a downloaded and various advertising or redirection malware. I then detached all of the PDF files in the suspect email and scanned them separately - they did not result in any infection. I then deleted the email in question. My assumption was that the files themselves were downloaded directly from the server and that perhaps the infected file was somehow concealed. I noted that all of the infected files reported by Defender where in a profile inbox folder for my IMAP server. This is normally a hidden folder so I had to turn on viewing of hidden files and folders in Windows Explorer. I reasoned that since I was using IMAP and hoped that the files on my email server were not infected (except the mail that I had deleted) I could safely delete the entire inbox folder and let Thunderbird re-build it the next time I used it. For precaution I also downloaded and installed the latest version of Thunderbird over my existing installation. All this was a bit intuitive as I had no idea how or if it would work. I am pleased to say that the combination of deleting the suspected infected mail, deleting the IMAP inbox folder, and reinstalling TB over the existing installation seems to have resolved the problem. When I restarted Thunderbird it re-created the profile folder that I had deleted and I was able to open various attachments without encountering the problem. Logically it seems that I may have been correct that the Trojan was hidden amongst the attachments in the suspect email and I have reported to to the sender. I will now have to be very careful of any signs that I may have had theft of passwords. Fortunately most important sites use 2 step security. I really don't want to have to find and change all my passwords :( Any comments would be gratefully accepted, though I do seem to have resolved the problem myself.

Изменено Gambalunga

Все ответы (2)

Matt
Matt
  • Moderator
  • Top 10 Contributor
more options

Thunderbird does not actually do anything with scripts in email bodies or garbage in attachments. They are stored as plain text in a mime encoded form until they are opened or saved. The result of this is having a virus or Trojan identified is generally alarming, but entirely harmless. Most anti virus programs do more harm trying to dig the problem out that ever would be caused by the problem.

For IMAP account, simply deleting the mail (hold shift to bypass the deleted/trash folder) and exiting Thunderbird (the default to expunge the server on exit is invoked unless oyu turn it off)and the mail is removed. At the worst you might have to use the compact on the file menu just to ensure any hiodden trasces are removed.

A bit like having a snake in a glass jar really with the lid screwed on. You are as safe as houses, but it can look somewhat alarming.

Gambalunga
Gambalunga Задавший вопрос
more options

Thanks for you reply Matt. The problem with this virus/trojan is that it apparently started replacing attachments in other mails in the profile IMAP inbox folder with malware and or trojans. This meant that many other attachments in were then in turn infected. I was lucky that it was mail on an IMAP server and that the infection was only in my computer. By deleting the original mail that was the source of the infection (shift delete) which deleted it on the server too, and then deleting the entire IMAP inbox folder on my local computer I effectively removed all of the infected files. Because it was IMAP Thunderbird recreated the folder and downloaded the mails from the server. Experimental re-opening of attachments showed that the original emails, that were still on the server, (other than the suspect one which had been deleted) were clean. I have had no reports of problems from people on my contact list so I can only assume that this series of Trojans would only be propogated if I forwarded one of the emails or infect attachments to someone. Peter

Изменено Gambalunga