peculiar insertion of trojan in hidden dropbox file

[DJChuck 0]

Hi everyone,

Over the past few days, ESETS has been cleaning a particular threat, "LH/Agent.CH trojan" that is repeatedly inserted in a hidden folder in my Dropbox account:

 

I use a variety of security softwares - Malwarebytes, ESETS, Bitdefender: apart from ESETS, there is no other indication of a problem when I run a scan.

I've no idea what would be able to insert such as file.  Fortunately for me, it's malware for Windows while I use Macs.

Tips, tricks and suggestions?

Many thanks in advance

 

[Marcos 5,070]

Unfortunately you didn't post the logs as text but as images so it's not possible to copy it and search for the text easily. Please provide the log records as text. If possible, submit the detected file(s) to samples[at]eset.com.

[DJChuck 0]

Thanks for this.

I've submitted the file logs - the file itself is always deleted by ESET - to samples[at]eset.com as you suggested: no response yet.

In the meantime, I've discovered that Dropbox is trying to sync with startmeinweb.de.html - as it does so, the effort to install the trojan takes place and then is detected and deleted by ESET.  This appears to be only on one machine - i.e., Dropbox on my other machines doesn't show the same behavior. I've also sent a request for help from Dropbox.

If still relevant, the recent log files are attached.

Again, many thanks!

 

ESETS log files.txt

[Marcos 5,070]

You've received a response. The detection seems to be correct; the url shortcut is detected because the website is set by malware as the default home page, ie. most likely without user's consent or knowledge.

[DJChuck 0]

Great - again, thanks.  Yes, the response reads:

The detection is rather correct. It's an IE shortcut to a blocked website which is detected. The website is set by malware MSIL/StartPage.CD trojan as the default homepage.

Good to know - but what I still don't know: (a) since I'm using a Mac, how did an IE shortcut get inserted into my machine?  And, more practically: how do I remove this trojan as none of my security software is finding it on the machine?

Many thanks in advance for your help!

[Marcos 5,070]

Since it's created by Dropbox, it must have gotten to the cloud from another machine so when files are synced with the cloud, the file is downloaded regardless of what OS you have. Moreover, it's a text file so we'd need logs from a machine where it was created by a different process than Dropbox.

[peteyt 393]

On 5/3/2020 at 8:32 PM, DJChuck said:

Hi everyone,

Over the past few days, ESETS has been cleaning a particular threat, "LH/Agent.CH trojan" that is repeatedly inserted in a hidden folder in my Dropbox account:

 

I use a variety of security softwares - Malwarebytes, ESETS, Bitdefender: apart from ESETS, there is no other indication of a problem when I run a scan.

I've no idea what would be able to insert such as file.  Fortunately for me, it's malware for Windows while I use Macs.

Tips, tricks and suggestions?

Many thanks in advance

 

I'd also avoid using multiple security products as they could actually put you at more risk by causing conflicts especially when more than one are being used as realtime scanners 

[DJChuck 0]

Thanks for the good advice.

In the meantime, I've discovered - thanks to help from Dropbox support - what the problem was.

It turns out that Dropbox was attempting to synchronize a couple of files from a German relative. When doing some updating the relative a couple of years ago, I made back up files from an old PC.  Two of these files, I eventually learned, included "startmeinweb.de.".  This was a start part for Internet Explorer that at that time (2012-2014) was connected with a malware.

The reason this wasn't immediately obvious: when Dropbox syncs files, as you may well know, it does them in chunks, deposited in the .cache folder for subsequent reassembly.  One such (incomplete) chunk showed up during the attempted syncing process with a machine-labelled partial file - enough for ESETs to identify the suspect element as a trojan - but gave me no further information as to the actual element (startmeinweb.de) that was triggering the identification and cleaning, much less the filename / path of where it was found.

Upon the advice of the Dropbox support person, I turned off the real-time file protection and allowed Dropbox to complete its synchronization.  That is, previously it would stall because of the detection of the trojan; after the cleaning process, it would restart syncing, only to get the infected chunk back in the .cache file.

Once the synchronization was complete, I turned the file protection back on: ESETs detected and cleaned two infected files, now fully identified by name and volume / folder.  Now, apparently, everything is back in order.

Many thanks again for all the help.