Phantom Thunderbird Trojan E-mail Attachments
After BitDefender v10 OEM scanned my system it detected "Trojan.Kobcka.BS"s, "Trojan.Pandex.AC"s and "Trojan.Dropper.RNY"s in the Inbox and Junk folders of my Thunderbird e-mail profile. I did a scan over 2 weeks ago and BitDefender didn't detect these trojans in any e-mail attachments at that time.
I have now deleted the contents of my Junk folder and emptied my Deleted folder and have done another scan of my Thunderbird e-mail profile. It's detected the exact same 8 trojans in the same 4 e-mails it did before. 2 are supposedly in Inbox and 2 are supposedly in Junk. I can't find any of these supposed e-mails in either my Inbox folder or the now emptied Junk folder. I searched for the subject headers it listed such as "Merry Christmas" and search didn't find anything in Thunderbird.
Here is the "Summary" part of the log:
Summary:
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 1761)=>
[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Infected:
Trojan.Kobcka.BS
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 1761)=>
[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Disinfection failed
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2571)=>
[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr
Infected: Trojan.Dropper.RNY
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2571)=>
[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr
Disinfection failed
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2716)=>
[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Infected:
Trojan.Pandex.AC
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2716)=>
[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Disinfection
failed
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2953)=>
[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr
Infected: Trojan.Kobcka.CH
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Inbox=>(message 2953)=>
[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr
Disinfection failed
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 887)=>
[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Infected:
Trojan.Kobcka.BS
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 887)=>
[subject: You have card][Date: , 16 Dec 2007 09:07:39 -0600]=>(MIME part)=>card.zip=>card.scr Disinfection failed
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1444)=>
[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr
Infected: Trojan.Dropper.RNY
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1444)=>
[subject: Card from a.dult Friend Finder][Date: Mon, 6 Jan 2008 10:06:23 +0800]=>(MIME part)=>photos.zip=>photos.scr
Disinfection failed
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1557)=>
[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Infected:
Trojan.Pandex.AC
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1557)=>
[subject: Merry Christmas][Date: Mon, 13 Jan 2008 09:49:03 +1000]=>(MIME part)=>eCard.zip=>eCard.exe Disinfection
failed
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1714)=>
[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr
Infected: Trojan.Kobcka.CH
C:\Users\Blah\AppData\Roaming\Thunderbird\Profiles\blah.default\Mail\Local Folders\Junk=>(message 1714)=>
[subject: Card from a.dult Friend Finder][Date: Tue, 22 Jan 2008 22:07:07 +0100]=>(MIME part)=>eCard.zip=>eCard.scr
Disinfection failed
Why is it detecting this "phantom" e-mails and their non-existent trojan infected attachments?
Comments
-
Hello GayusMarius,
BitDefender might detect false positives (legit files, detected as infected), but one thing I can say for sure: it does not "invent" infections. If a file is scanned, then it is present on your HDD.
Just like physical files, e-mails are not completely deleted when you delete them from Thunderbird. They are somehow hidden, and probably that's why BD still detects them.
The e-mails are completely removed when you compact the files. "Compacting" the files actually means "removing all un-necessary data from the database, such as deleted e-mails". In Thunderbird, you should find an option like: Compact folders, Compress folders, etc.... I'm not using Thunderbird, so I cannot say for sure what the function is called and where it is placed, but in Outlook Express it is placed in File -> Folder -> Compact.
Hope this helps.
Cris.
P.S.: When you find this option, disable BD Realtime Protection before compacting the folders, so it won't block access to the infected e-mails, therefore preventing Thunderbird from deleting them.0 -
Hello GayusMarius,
BitDefender might detect false positives (legit files, detected as infected), but one thing I can say for sure: it does not "invent" infections. If a file is scanned, then it is present on your HDD.
Just like physical files, e-mails are not completely deleted when you delete them from Thunderbird. They are somehow hidden, and probably that's why BD still detects them.
The e-mails are completely removed when you compact the files. "Compacting" the files actually means "removing all un-necessary data from the database, such as deleted e-mails". In Thunderbird, you should find an option like: Compact folders, Compress folders, etc.... I'm not using Thunderbird, so I cannot say for sure what the function is called and where it is placed, but in Outlook Express it is placed in File -> Folder -> Compact.
Hope this helps.
Cris.
P.S.: When you find this option, disable BD Realtime Protection before compacting the folders, so it won't block access to the infected e-mails, therefore preventing Thunderbird from deleting them.
Thanks so much. I always wondered what "compacting files" meant when Thunderbird was doing it. I turned it off on all my Thunderbird profiles across my PCs so they all have these "phantom" e-mail infections popping up. I'll turn compacting back on. I always thought it was like compression that compressed archives undergo.0
