BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 08-09-2010, 04:06 PM   #1 (permalink)
New Member
 
Join Date: Jul 2010
Model: 9630
PIN: N/A
Carrier: verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Trojan file detected

Please Login to Remove!

Newbie question: We got out new BES server up and running about 8 weeks ago and everything has going along fine. However, I just got an alert from our AV software indicating that a Trojan was found in the AppData\Local\Temp\1F242612\ folder of the besadmin user.

Newbie part: How can something get there as we don't surf from the machine at all - ever.

As this is the BES admin account, is this somehow related to some file a user is sending or receiving? If so, is there a log file somewhere that would tell me what user this was associated with?

Any help for the unknowing would be much appreciated.

Thanks
Offline  
Old 08-09-2010, 06:59 PM   #2 (permalink)
Appleinator
 
Dubdub's Avatar
 
Join Date: Nov 2005
Location: New Hampshire
Model: App5
OS: AJBR549
PIN: Ask
Carrier: ATT & Verizon
Posts: 20,016
Post Thanks: 54
Thanked 778 Times in 740 Posts
Default

Moved to a more appropriate section.
__________________
-->>BB FAQ

-->>Stinsonddog's Tip Site!

-->>Twitter


If someone helps, tell them by clicking the Thanks button.!!
Offline  
Old 08-10-2010, 05:28 AM   #3 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default

Quote:
As this is the BES admin account, is this somehow related to some file a user is sending or receiving?
No, file attachments are not saved in the in besadmin's temp folder. But if you install software on the BES server whilst being logged in as besadmin, things can be saved in the Temp folder.

What is the file name of the dangerous file?
Offline  
Old 08-10-2010, 08:27 AM   #4 (permalink)
New Member
 
Join Date: Jul 2010
Model: 9630
PIN: N/A
Carrier: verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

The file was:
\AppData\Local\Temp\1F24261\tax_statement.exe

Actual threat names: PWS-Zbot.gen.ab

How can this file have gotten on this machine when no surfing could have been done? Being an AppData folder, wouldn't a local installed program have to had put it there?

Thanks for your help!
Offline  
Old 08-10-2010, 09:27 AM   #5 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default

Do you have a mail client installed on that server? Normally, if you open an attachment in a mail, it gets saved to the temp folder.

Also, have a look at the besadmin mailbox, if there are any mails with attachments in there.

In your e-mail environment, do you exclude some file extensions, like .exe? You should consider that.
Offline  
Old 08-10-2010, 09:32 AM   #6 (permalink)
New Member
 
Join Date: Jul 2010
Model: 9630
PIN: N/A
Carrier: verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hello, no there is no email client installed nor do we surf from this machine at all. And yes, exe's get blocked at the firewall level and Outlook in general. No one could e-mail any for of executable into our building.

I'm at a loss for how an executable got into the AppData folder!

Thanks
Offline  
Old 08-10-2010, 09:45 AM   #7 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default

It is not your "AppData" folder. It is the Temp folder that happens to be a sub-folder of AppData. Any temporary files for that user go in there. If you open a cmd box and type

set

You will see something like

TEMP=C:\Users\username\AppData\Local\Temp

So the besadmin user must have loaded something from maybe a USB stick or internal network folder or CD that has put that file there.

I would definitely do a AV scan of the whole machine just to be sure nothing else is there. I would also do an Anti-Malware scan of the files and the registry.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.