TrojanDownloader nemucod.YW infected INBOX and reoccurs at reboot
For about a week I have been getting reports from eSet smart security that one of my Thunderbird accounts INBOX is infected with JS/TrojanDownloader.nemucod.yw.trojan plus 8 other "multiple threats". eSet shows these have been quarantined, but they recur with evey reboot. Several other scanner tools (Kaspersky, Malwarebytes, Sophos) show no infection. Is there a method to really find an infection in INBOX and remove it?
Alle antwurden (5)
Is there any real need is perhaps a more pertinent question. Regardless of the potential threat, those Trojans etc and totally inert.
Right click the inbox, select compact and see if that ends the issue.
(1) Compacting did not help. (2) Trojans are not all inert, many make and maintain connections that actively download other malware. (3) recent nemucod variants carry disk encrypting ransonware, and this variant is known to do that. We have not been hit with that but as long as it resides inside a Thunderbird INBOX the potential is there.
<insert all of mhgoodrich's comments>
1) Also look to see if any particular sender(s) is/are sending these messages carrying the trojan(s).
2) if #1 provides such info as sender or a particular mail service is seen to be trending, Consider not only letting tbird /eset teams and other virus detection teams know this info so them may possibly update their lists of bad actors.
We have an open support case with eSet also.
The report from the antivirus only identifies that the Thunderbird INBOX is infected, not granular to a specific email or sender.
mhgoodrich said
(2) Trojans are not all inert, many make and maintain connections that actively download other malware.
Utter rubbish. It is this sort of fear mongering that the anti virus community is guilty of. You can not have an active Trojan or any other executable program in a Thunderbird inbox. It is a text fie that contains text. Open it in notepad and have a look if you doubt me.
What you can have are mime encoded text version of the executable code that can be decoded by Thunderbird into a binary object and will appear in the display of the mail as an attachment. Still totally inert. and the actual decoding into a binary object occurs when you choose to open the attachment.
The attachment can be opened, but first it is written to the temp folder. If EsET is as good as they claim (which I doubt following some recent public tests) then their real time protection will prevent the launch of the program.
As Thunderbird does not allow scripting in it's emails, there is no vector to execute the trojan from a remote location upon opening the mail. The only risk is in remote images and that is remote and turned OFF by default in Thunderbird for that reason.
(3) recent nemucod variants carry disk encrypting ransonware, and this variant is known to do that. We have not been hit with that but as long as it resides inside a Thunderbird INBOX the potential is there.
What concerns we is that the mail with the infected attachment was not deleted by the recipient upon receipt. Why would you keep an email that has an unidentified attachment. The answer of course is you think it is something valuable to you I suppose.
I think the support ticket you need to take away is the need to kee a clean inbox. If you only had 3 emails, working out which was a problem would be simply. See http://kb.mozillazine.org/Keep_it_working_(Thunderbird)