Has anyone encountered "TR/Dldr.Small.bjd"?

Discussion in 'malware problems & news' started by BananaJones, Feb 3, 2008.

Thread Status:
Not open for further replies.
  1. BananaJones

    BananaJones Registered Member

    Joined:
    Feb 3, 2008
    Posts:
    7
    This happened yesterday - I'm using Avira Antivirus, always updated, and yesterday its Guard suddenly informed me that the file C:\WINDOWS\Temp\~DFAA6F.tmp contained a threat identified as TR/Dldr.Small.bjd - I glanced at the file and saw that it was pure binary that looked compressed, without any visible header etc.; I quarantined the file for later analysis. Moments later, Avira informed me that it found the same pest, but this time in... Firefox's backup of its bookmarks! (C:\Documents and Settings\[username]\Application Data\Mozilla\Firefox\Profiles\myprofile\bookmarkbackups\bookmarks-2008-02-02.html)
    I looked at this file and instead of HTML, I once again saw binary contents that looked encrypted. There was another backup of bookmars, from the same day, in that directory, and I looked at it - this was normal HTML. Firefox's default bookmarks.html and bookmarks.bak were clean-looking HTML, too. I quarantined the binary and scanned the drive. Avira then detected the thing in Firefox's cache, too (Cache\_CACHE_003_) and nowhere else. I also scanned with Kaspersky's online service and rootkit scanners (AVG's, Gmer, Trend Micro's) and with Prevx CSI, Totalscan and Nanoscan.

    Then I made a lousy mistake: while trying to restore the suspect binaries so I could scan them with Virustotal, I deleted them! :( They could not be unerased. Anyway, I rolled back to a system restore point from a few days earlier and did some usual checking, such as scanning the system with everything that I used earlier and checking for rootkits, again (updating it first obviously :)), starting with a bootable CD and examining the drive for any suspicious files... and didn't find anything.

    (By the way, although I am tempted to do so, I didn't use Rootkit Unhooker or Radix Antirootkit because of the suspicious notes I've read about them, here and elsewhere... also because neither seems to have an official site or acknowledgement at the moment; and RU apparently cannot even be downloaded right now from any known and trusted source...?)

    Anyway, I'm still a bit worried, because I deleted those files and so I don't really know what they were, and trying to search for "TR/Dldr.Small.bjd " finds practically no information (although according to one document, it might seem that "bjd" stands for "BlackJumboDog", author of rogue software?). Furthermore, the fact that *something* was in Firefox's bookmark backups makes me worried. As far as Firefox goes, I didn't just roll back, removed it after booting from CD, but I reinstalled it and I copied my whole Firefox profile from another computer. But still, I'd like to know more. A virus or trojan seems unlikely, since I checked everything and see no warning signs. But what worries me when nothing bad seems visible, is of course, as always in such cases, a rootkit. So does "TR/Dldr.Small.bjd" sound familiar to anyone? :( (Remember, that's the name under which Avira identified it)

    There was some post about this on Avira's forum and from what I could understand from the German language, someone suggested that it was some remnant of Adobe Reader (?) or just a problem with Firefox's cache... but that's unlikely; why would the browser's cache make a bookmark backup file turn into binary, or what would Adobe Reader be doing there?

    I'm fairly sure that whatever it is, it came to me through some site's tainted Javascript, even though I use Noscript in Firefox and never allow it to run scripts on sites that don't show up as green in McAfee's Site Advisor... :\
     
    Last edited: Feb 3, 2008
Loading...
Thread Status:
Not open for further replies.