Question re: Trojan-Dropper.Win32.Dapato.dhhv

[ringtail]

environment: Win7 64 Pro SP1

a) Email from bank had attached "Important doc"
b) I (stupidly) opened the attached file (should've remembered the fact no bank would never send such an email)
c) It launched Trojan program WF_Docs_121113.ex Trojan-Dropper.Win32.Dapato.dhhv
d) Within maybe one second, Kaspersky Internet Security alarmed, blocked, and helped me delete that.

QUESTION: That trojan plants a backdoor. Did deleting the trojan file take care of any backdoor too? Or could any backdoor it planted still be operational even now that the trojan file itself is deleted?

(Note: virus scans detect no problem, but I still wonder if maybe something's lurking undetected)

 

[Savatar]

I would say no. Since Kaspersky detected the dropper, it is _very_ unlikely that it was able to do anything else (droppers need to be able to execute in order to download or create other files - and your A/V seems to have blocked it from executing).

However, second opinions never hurt - maybe run a free scanner like HouseCall from Trend Micro as a precaution, and double check to ensure Windows and Office is up to date as well.

When something like this happens, I usually just re-image the system from a backup or reinstall as well... just to be sure (but that is overkill).

 

[Binky]

Did you run any scans after kapersky found it? When that happens, I generally get a little paranoid (not full format paranoid) and run a full virus scan, then a full malwwarebytes scan, then a full malwarebytes anti-rootkit scan.

 

[ringtail]

Savatar & Binky.

Thank you both for answering.
Since the event, I've:
a) run several Kaspersky scans - no problem found.
b) ran the ESET online scan - no problem found.
c) there are a few web sites explaining what the dropper installs into registry keys and Apps Data, and I did not find any of them in my computer.

However, all the available info is for variants of "Trojan-Dropper.Win32.Dapato" that end in different suffixes, not the suffix ".dhhv" that I had. Do you think any secret backdoor files installed by ".dhhv" variant be different than the ones explained by those web sites?

 

[JEDIYoda]

no!! next question-- paranoid much??

 

[Savatar]

However, all the available info is for variants of "Trojan-Dropper.Win32.Dapato" that end in different suffixes, not the suffix ".dhhv" that I had. Do you think any secret backdoor files installed by ".dhhv" variant be different than the ones explained by those web sites?

Usually antivirus companies name their variants all sorts of weird and crazy things... there's not really any standard between companies in the community, so it's very hard to tell if that variant is really significantly different from what you've read about. However, I would say it's most likely pretty similar. To modify registry settings or do anything, the program would also have had to load into memory and run first - so if your A/V actually detected it on-access properly, then you should be safe... that prevents it from ever executing any code.

If it was a detection after the fact with something like MalwareBytes or a full system A/V scan, then cleanup becomes a bigger issue... because most A/Vs that have high detection rates may not have high cleanup rates. But that doesn't sound like the issue here.

Still... if you find yourself still worried about something, or if you use your system for highly classified activities, it won't hurt to re-image, just a time investment.

 

[ringtail]

Savatar

Thank you.

 

[Binky]

In my experience, malwarebytes still finds things that mutltiple virus scans don't find. I run the free version of malwarebytes on every system (and pro on a few too).

 

[zCypher]

In my experience, malwarebytes still finds things that mutltiple virus scans don't find. I run the free version of malwarebytes on every system (and pro on a few too).

yup. malewarebytes looks for all manner of malware/spyware that isn't necessarily considered to be a "virus", but could still be something you want to be free of. It's a great free tool that I've used for a long time too.

I haven't encountered too many virus issues personally, I practice safe browsing habits, keep multiple encrypted copies of any important stuff in different drives in case of disaster and don't keep anything too critical on the boot/OS drive. If I have any doubts, I just wipe the partition and start fresh, hardly takes any time nowadays with Win8 and SSD and majority of stuff stored on a separate drive.