Jump to content

Trojan Virus Body deleted - it is still detected, do I need to do something else to clean up?


Go to solution Solved by Marcos,

Recommended Posts

-------------------------------------------------------------------

TOO LONG DIDN'T READ

I opened a PDF that was then detected as a Trojan Downloader, I don't know how it works or what is needed to be triggered, I opened with Firefox so this might have disabled macros? It has something about Acrobat so maybe it assumes Acrobat to be triggered... I hope for this.

Here is the Virus Total information: https://www.virustotal.com/gui/file/7eac6a51a7113f614aa37b2bdc4dd71690d35ac3a599a23ddde153fe0ff18cd6?nocache=1

I don't know if I have the virus or if I have to do something with Registry since it seems it modified something...

I'm a rookie and a programmer which makes this even more embarassing, take what I say with a grain of salt and sorry for the mistakes.

-------------------------------------------------------------------

DETAILED STORY

Premiss

Context:

I was contacted for a job offer to my business email, so it seemed legit, searching for the domain unfortunately popped up a result that was in line with my expectations and I went ahead, I know this was bad practice, I will not repeat the same error.

What did I do?

I downloaded and opened an Infected PDF via Firefox, this was from an email and I didn't know PDFs could trigger or be viruses.

The "bigger" virus was a redline stealer, but I didn't open it and deleted it immediately.

 

Once I realized what it was I deleted everything, but ESET complete scan still detected a Trojan Downloader in the Recycle Bin folder that actually was the PDF (I cleaned everything also from there before, not sure why it would still be there).

I guess the hackers target specific people and want backdoor access, to then activate the redline stealer or maybe use the computer in some other way.

 

QUESTION 1: Now in the next section, you will see "Software\Adobe\Acrobat Reader\9.0\AVGeneral\bLastExitNormal" does this mean the virus needs Acrobat to be triggered and so opening it via Firefox was safe or safer?

 

More juice - Thecnical Information

This is what was inside the PDF, via Virus Total:
 

Quote

 

REGISTRY KEYS SET

Software\Adobe\Acrobat Reader\9.0\AVGeneral\bLastExitNormal

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix

{A4D09103-73E6-4213-99BB-0B3399BCF238}\WpadDecisionReason

{A4D09103-73E6-4213-99BB-0B3399BCF238}\WpadDecisionTime

{A4D09103-73E6-4213-99BB-0B3399BCF238}\WpadDecision

{A4D09103-73E6-4213-99BB-0B3399BCF238}\WpadNetworkName

52-54-00-b2-3b-fe\WpadDetectedUrl

CALLS HIGHLIGHTED

GetTickCount

IsDebuggerPresent

SetWindowsHookExW

SleepGet

AdaptersAddresses

 

We can see something strange, but this part is far above my knowledge.

What now?

I run a full scan and ESET still sees the PDF in the recycle bin, now it says it deleted it.

QUESTION 2: What do I do now?

QUESTION 3: Do I need to worry for those Registry changes or are they just meaningless if there is no virus going around?

 

I would like to apologize for my poor knowledge, I learned this in these days of virus rabbit hole around internet, thanks for the help!

 

Link to comment
Share on other sites

  • Administrators

Even if you opened the pdf file before the detection was added yesterday, the payload downloaded (a 750 MB file Explanation of our pricing policy(mt).scr) had been detected for several days already. Plus you would have to enter the password from the pdf document to extract it.

Link to comment
Share on other sites

Yes, I actually did all that, I had the PDF file and the (fake 750MB) big file on my desktop, I realized it WAY too late, but I didn't open the .scr file once I saw I did dumb stuff.

I'm left with verifying if the PDF ALONE was dangerous or not. The details in the post are about the PDF alone and the Trojan itself would (?) be in that PDF.

It says something about Acrobat, I don't know how PDF viruses work, in any way I opened it only on Firefox and not in other PDF readers (in case this is useful).

This happened before the PDF was detected, I then thought everything else was safe (again, it was DUMB to assume).

 

Is the PDF alone dangerous?

8 minutes ago, Marcos said:

Even if you opened the pdf file before the detection was added yesterday, the payload downloaded (a 750 MB file Explanation of our pricing policy(mt).scr) had been detected for several days already. Plus you would have to enter the password from the pdf document to extract it.

 

Link to comment
Share on other sites

4 hours ago, Marcos said:

The pdf contained just a download link with a password. It doesn't do anything.

Then I'm sorry to disturb you but why does ESET flag it as A Trojan if it doesn't do anything? Does it mean it is 100% harmless and it is just flagged as suspicious because it can lead to a malware?

Thanks for the replies!

Link to comment
Share on other sites

  • Administrators
  • Solution

The pdf contains a link to malware, there are no innocent intentions behind it.

image.png

Link to comment
Share on other sites

2 hours ago, Marcos said:

The pdf contains a link to malware, there are no innocent intentions behind it.

image.png

Yes again, it has malicious intent, the FILE ITSELF is NOT malicious.

If by definition a Trojan can be anything that has malicious intent, then I think a lot of files can be misinterpreted as harmful even if they are not BY THEMSELVES but only as a vehicle to the virus.

This can lead to a lot of time lost in researching the file by non expert users like me who might think they actually got something. Wouldn't it be better to mark is as not-a-virus warning and/or quarantine them? I'm not expert enough, I just think that if the definition is applied correctly it is misleading by nature for less knowledgeable people like me.

Thanks again, I will mark this as solved.

Link to comment
Share on other sites

  • Most Valued Members
On 2/10/2022 at 10:05 PM, obsence said:

Yes again, it has malicious intent, the FILE ITSELF is NOT malicious.

If by definition a Trojan can be anything that has malicious intent, then I think a lot of files can be misinterpreted as harmful even if they are not BY THEMSELVES but only as a vehicle to the virus.

This can lead to a lot of time lost in researching the file by non expert users like me who might think they actually got something. Wouldn't it be better to mark is as not-a-virus warning and/or quarantine them? I'm not expert enough, I just think that if the definition is applied correctly it is misleading by nature for less knowledgeable people like me.

Thanks again, I will mark this as solved.

It is a trojan horse , it is disguised as a normal PDF and contains a link to the malware/threat.

image.png.ffcfeb5ddacc0f5e13b7148e61922dd0.png

https://www.eset.com/int/trojan-horse/

Anyway , A malicious PDF naming or a Trojan Horse , all roads lead to Rome , ESET has protected you from that threat.

Edited by Nightowl
Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, Nightowl said:

It is a trojan horse , it is disguised as a normal PDF and contains a link to the malware/threat.

image.png.ffcfeb5ddacc0f5e13b7148e61922dd0.png

https://www.eset.com/int/trojan-horse/

Anyway , A malicious PDF naming or a Trojan Horse , all roads lead to Rome , ESET has protected you from that threat.

Yeah this. By saying as you say, not a virus, it would probably cause more confusion I.e. is it a virus, what is it etc.

Basically it was a file that only had malicious purposes. You said rightly anything can be abused and used maliciously but this file had no other purpose and so it makes sense to flag it as malware.

Most users will also not research. If they see something is a virus they will make sure its gone and leave it at that 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...