Phantom Thunderbird Trojan E-mail Attachments

After BitDefender v10 OEM scanned my system it detected "Trojan.Kobcka.BS"s, "Trojan.Pandex.AC"s and "Trojan.Dropper.RNY"s in the Inbox and Junk folders of my Thunderbird e-mail profile. I did a scan over 2 weeks ago and BitDefender didn't detect these trojans in any e-mail attachments at that time.

I have now deleted the contents of my Junk folder and emptied my Deleted folder and have done another scan of my Thunderbird e-mail profile. It's detected the exact same 8 trojans in the same 4 e-mails it did before. 2 are supposedly in Inbox and 2 are supposedly in Junk. I can't find any of these supposed e-mails in either my Inbox folder or the now emptied Junk folder. I searched for the subject headers it listed such as "Merry Christmas" and search didn't find anything in Thunderbird.

Here is the "Summary" part of the log:

Summary:

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 1761)=>

[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Infected:

Trojan.Kobcka.BS

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 1761)=>

[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Disinfection failed

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2571)=>

[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr

Infected: Trojan.Dropper.RNY

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2571)=>

[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr

Disinfection failed

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2716)=>

[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Infected:

Trojan.Pandex.AC

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2716)=>

[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Disinfection

failed

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2953)=>

[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr

Infected: Trojan.Kobcka.CH

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2953)=>

[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr

Disinfection failed

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 887)=>

[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Infected:

Trojan.Kobcka.BS

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 887)=>

[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Disinfection failed

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1444)=>

[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr

Infected: Trojan.Dropper.RNY

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1444)=>

[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr

Disinfection failed

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1557)=>

[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Infected:

Trojan.Pandex.AC

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1557)=>

[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Disinfection

failed

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1714)=>

[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr

Infected: Trojan.Kobcka.CH

C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1714)=>

[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr

Disinfection failed

Why is it detecting this "phantom" e-mails and their non-existent trojan infected attachments?

Find more posts tagged with

Comments

alexcrist

Hello GayusMarius,

BitDefender might detect false positives (legit files, detected as infected), but one thing I can say for sure: it does not "invent" infections. If a file is scanned, then it is present on your HDD.

Just like physical files, e-mails are not completely deleted when you delete them from Thunderbird. They are somehow hidden, and probably that's why BD still detects them.

The e-mails are completely removed when you compact the files. "Compacting" the files actually means "removing all un-necessary data from the database, such as deleted e-mails". In Thunderbird, you should find an option like: Compact folders, Compress folders, etc.... I'm not using Thunderbird, so I cannot say for sure what the function is called and where it is placed, but in Outlook Express it is placed in File -> Folder -> Compact.

Hope this helps.

Cris.

P.S.: When you find this option, disable BD Realtime Protection before compacting the folders, so it won't block access to the infected e-mails, therefore preventing Thunderbird from deleting them.

IllNeverHaveYouAgain

Hello GayusMarius,

BitDefender might detect false positives (legit files, detected as infected), but one thing I can say for sure: it does not "invent" infections. If a file is scanned, then it is present on your HDD.

Just like physical files, e-mails are not completely deleted when you delete them from Thunderbird. They are somehow hidden, and probably that's why BD still detects them.

The e-mails are completely removed when you compact the files. "Compacting" the files actually means "removing all un-necessary data from the database, such as deleted e-mails". In Thunderbird, you should find an option like: Compact folders, Compress folders, etc.... I'm not using Thunderbird, so I cannot say for sure what the function is called and where it is placed, but in Outlook Express it is placed in File -> Folder -> Compact.

Hope this helps.

Cris.

P.S.: When you find this option, disable BD Realtime Protection before compacting the folders, so it won't block access to the infected e-mails, therefore preventing Thunderbird from deleting them.

Thanks so much. I always wondered what "compacting files" meant when Thunderbird was doing it. I turned it off on all my Thunderbird profiles across my PCs so they all have these "phantom" e-mail infections popping up. I'll turn compacting back on. I always thought it was like compression that compressed archives undergo.