Trojan In Thunderbird / OpenPGP

[CyberWorm]

Up until last week I have been using CPanel's webmail for my business email. I gave thunderbird a try because I wanted easier access to my email without having to keep loggging in and out of the site. I also downloaded a Thunderbird addon called enigmail which allows you to sign and encrypt email using OpenPGP.

Today Norton did a full system scan and revealed a virus hidden as hide.dll located in C:\Users\Andrew\AppData\Roaming\Thunderbird\Profiles\7pgbd38j.default\ImapMail\mail.xxxxxxxxxx.co.uk\INBOX.sbd.

VirusTotal Result: ~Removed per Policy~

With all the protection I have on my PC I am very suprised this is even here. Clearly this is a common trojan which went undetected by Norton, MSE and PrevX for a long period of time. I am more interested in how this trojan got on my system in the first place. It appears to have come in either enigmail, OpenPGP, or Thunderbird. All downloaded from the original source.

My concern now is seeing words like Sinowal, and Rootkit on the VirusTotal website. Any suggestions what next? I guess I start with changing all my passwords to be on the safe side from a clean PC.

[tobacco]

Quote:

Originally Posted by CyberWorm

Up until last week I have been using CPanel's webmail for my business email. I gave thunderbird a try because I wanted easier access to my email without having to keep loggging in and out of the site. I also downloaded a Thunderbird addon called enigmail which allows you to sign and encrypt email using OpenPGP.

Today Norton did a full system scan and revealed a virus hidden as hide.dll located in C:\Users\Andrew\AppData\Roaming\Thunderbird\Profiles\7pgbd38j.default\ImapMail\mail.xxxxxxxxxx.co.uk\INBOX.sbd.

VirusTotal Result: ~Removed per Policy~

With all the protection I have on my PC I am very suprised this is even here. Clearly this is a common trojan which went undetected by Norton, MSE and PrevX for a long period of time. I am more interested in how this trojan got on my system in the first place. It appears to have come in either enigmail, OpenPGP, or Thunderbird. All downloaded from the original source.

My concern now is seeing words like Sinowal, and Rootkit on the VirusTotal website. Any suggestions what next? I guess I start with changing all my passwords to be on the safe side from a clean PC.

Sorry to say but it's your security in peticuliar, Norton. I have those encryption programs and thunderbird and don't have that dll. Norton is the only one that probably scans email coming in and it's updating process is horribly slow so detection is often too late.

[CyberWorm]

One of my websites was recently hacked from Russia so i wonder if there is a connection between the two. I don't trust my computer now, there could be a ton of other malware hiding in the background. I think its time for a format / re-install.

Bastards arn't they!

[tobacco]

Quote:

Originally Posted by CyberWorm

One of my websites was recently hacked from Russia so i wonder if there is a connection between the two. I don't trust my computer now, there could be a ton of other malware hiding in the background. I think its time for a format / re-install.

Bastards arn't they!

Well, you just learned the hard way that many here haven't yet and that is the "Antivirus" solution or "re-active" solution cannot be relied upon. The good guys are always behind and playing catchup with the bad guys.

Use an AV as an opinion only and concentrate your setup on the "pro-active" approach meaning - virtualization like sandboxie, returnil, virtualbox, etc and "DAILY IMAGES"!

[CyberWorm]

My problem is I am using Windows 7.64 which slims down my software options. I have a fairly decent setup at the moment so I am shocked this got through undetected. I am just interested where it came from.

[tobacco]

Quote:

Originally Posted by CyberWorm

I have a fairly decent setup at the moment so I am shocked this got through undetected.

I'm not shocked in the least because Norton finally "reacted" and detected it when it was able to but not block it in the first place. And that is because of how the AV solution works. If you have images, then it's a quick (10-15 minutes) restore and your back in business. You only have to decide how far back in time you need to go.

[CyberWorm]

I'm not using any imaging software at the moment. I have a paid copy of Paragon Disk Backup Pro 10 but had a bad experience with it. Plus now I only have one 1.2TB drive so wouldn't that mean having to put the images onto a portable drive, or splitting my main drive into two?

[tobacco]

Quote:

Originally Posted by CyberWorm

I'm not using any imaging software at the moment. I have a paid copy of Paragon Disk Backup Pro 10 but had a bad experience with it. Plus now I only have one 1.2TB drive so wouldn't that mean having to put the images onto a portable drive, or splitting my main drive into two?

Would Comodo Time Machine help?

Yes, external media is the best solution as long as you have the space. If you don't have that, for now at least, use free partition software and create a D partition to store your images on. Visit the new backup section lower in this forum for more info.

[CyberWorm]

There are not that many backup programs which support Windows 7 x64 with a SATA RAID configuration. Paragon does so I will give it another go.