Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Caută ajutor

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Află mai multe

Acest fir de discuție a fost arhivat. Adresează o întrebare nouă dacă ai nevoie de ajutor.

TrojanDownloader nemucod.YW infected INBOX and reoccurs at reboot

  • 5 răspunsuri
  • 3 au această problemă
  • 3 vizualizări
  • Ultimul răspuns de Matt

more options

For about a week I have been getting reports from eSet smart security that one of my Thunderbird accounts INBOX is infected with JS/TrojanDownloader.nemucod.yw.trojan plus 8 other "multiple threats". eSet shows these have been quarantined, but they recur with evey reboot. Several other scanner tools (Kaspersky, Malwarebytes, Sophos) show no infection. Is there a method to really find an infection in INBOX and remove it?

For about a week I have been getting reports from eSet smart security that one of my Thunderbird accounts INBOX is infected with JS/TrojanDownloader.nemucod.yw.trojan plus 8 other "multiple threats". eSet shows these have been quarantined, but they recur with evey reboot. Several other scanner tools (Kaspersky, Malwarebytes, Sophos) show no infection. Is there a method to really find an infection in INBOX and remove it?

Toate răspunsurile (5)

more options

Is there any real need is perhaps a more pertinent question. Regardless of the potential threat, those Trojans etc and totally inert.

Right click the inbox, select compact and see if that ends the issue.

more options

(1) Compacting did not help. (2) Trojans are not all inert, many make and maintain connections that actively download other malware. (3) recent nemucod variants carry disk encrypting ransonware, and this variant is known to do that. We have not been hit with that but as long as it resides inside a Thunderbird INBOX the potential is there.

more options

<insert all of mhgoodrich's comments>

1) Also look to see if any particular sender(s) is/are sending these messages carrying the trojan(s).

2) if #1 provides such info as sender or a particular mail service is seen to be trending, Consider not only letting tbird /eset teams and other virus detection teams know this info so them may possibly update their lists of bad actors.

more options

We have an open support case with eSet also.

The report from the antivirus only identifies that the Thunderbird INBOX is infected, not granular to a specific email or sender.

more options

mhgoodrich said

(2) Trojans are not all inert, many make and maintain connections that actively download other malware.

Utter rubbish. It is this sort of fear mongering that the anti virus community is guilty of. You can not have an active Trojan or any other executable program in a Thunderbird inbox. It is a text fie that contains text. Open it in notepad and have a look if you doubt me.

What you can have are mime encoded text version of the executable code that can be decoded by Thunderbird into a binary object and will appear in the display of the mail as an attachment. Still totally inert. and the actual decoding into a binary object occurs when you choose to open the attachment.

The attachment can be opened, but first it is written to the temp folder. If EsET is as good as they claim (which I doubt following some recent public tests) then their real time protection will prevent the launch of the program.

As Thunderbird does not allow scripting in it's emails, there is no vector to execute the trojan from a remote location upon opening the mail. The only risk is in remote images and that is remote and turned OFF by default in Thunderbird for that reason.

(3) recent nemucod variants carry disk encrypting ransonware, and this variant is known to do that. We have not been hit with that but as long as it resides inside a Thunderbird INBOX the potential is there.

What concerns we is that the mail with the infected attachment was not deleted by the recipient upon receipt. Why would you keep an email that has an unidentified attachment. The answer of course is you think it is something valuable to you I suppose.

I think the support ticket you need to take away is the need to kee a clean inbox. If you only had 3 emails, working out which was a problem would be simply. See http://kb.mozillazine.org/Keep_it_working_(Thunderbird)