Avast found  JS:LockyDownloader [Trj] in old Thunderbird Email

system · 2017-08-18T23:23:47.000Z

Last night Avast alerted to two Threats Blocked from old Thunderbird emails. One email was from 2012, the other from 2016.

Both were quarantined, and when I looked in the Virus Chest they were Win32:PUP-gen [PUP]…and JS:LockyDownloader [Trj]
Avast Threat Blocked notifications were about 4 minutes apart, so as I was reacting to the first…the second one came in.

On another computer in the same room, I googled the two malware names, and saw from a post on this forum that JS:LockyDownloader [Trj] is possibly a Ransomware file.
https://forum.avast.com/index.php?topic=188378.msg1324609#msg1324609

At this point I ran Malwarebytes in safe mode, and it quickly found and quarantined JS:LockyDownloader [Trj] …even though Avast indicated it was already blocked and quarantined.
I’m a bit trigger happy when it comes to ransomware (our home office files are on a My Cloud NAS) so rather than take chances with a ransomeware infection on my local HD, I just restored a Clonezilla Image of said local HD, since all my data is stored and backed up elsewhere.

That went well, and subsequent Malwarebytes and Avast boot time scans showed all of our other computers to free of either of the malware files.

So here is my question to forum members:

This entire event started when I was using Thunderbird, and in the process of writing an email. (never completed or sent)
Thunderbird suddenly locked up, all the emails in the inbox disappeared, slowly, from top to bottom, leaving a blank Thunderbird page/screen.
After a few seconds, the inbox seemed to re-populate, and all the inbox emails came back…but in reverse sort order. (oldest first, newest last)
That is when Avast alerted to the two “Threats Blocked”.

Has anyone seen Avast exhibit this sort of behavior with an email app?
It seemed to suddenly take over Thunderbird, and find “Threats” that were years old…
Any thoughts as to whether JS:LockyDownloader [Trj] is a false positive, or actual ransomware?
Unfortunately, when I restored the Clonezilla Image, it of course overwrote all data on the HD, so I cannot submit the Virus Chest JS:LockyDownloader [Trj] info to Avast.

I will cross post this post to a Thunderbird forum as well.

My System:
Windows 7 Professional, 64 bit, Service Pack 1
Avast Free AntiVirus, v 17.5.2303
Firefox 47.0.1
Thunderbird: Mozilla Thunderbird, Portable Edition
HP Pavilion p7-1254

Sorry for the long post, and thanks for your time and help

Pondus · 2017-08-19T08:01:33.000Z

1. Has anyone seen Avast exhibit this sort of behavior with an email app? It seemed to suddenly take over Thunderbird, and find "Threats" that were years old...

Avast may not had the signature for the file when you recived that mail

2. Any thoughts as to whether JS:LockyDownloader [Trj] is a false positive, or actual ransomware? Unfortunately, when I restored the Clonezilla Image, it of course overwrote all data on the HD, so I cannot submit the Virus Chest JS:LockyDownloader [Trj] info to Avast.

It is not the ransomware, as the name say it is the file that will download and run the ransomware (LockyDownloader)

Was it a false positive?
Only way to find out is if you have the file and can upload it to virustotal.com or send it to avast lab, if you deleted it then that option is gone

system · 2017-08-21T20:42:25.000Z

Thank you.

Announcements