Trojan: Win32 / Casdet! Rfn OVER Zotero

ffons54 · June 18, 2021

My W10 laptop is infected with the "Trojan: Win32 / Casdet! Rfn" that windows defender (WD) detects when I use the Zotero in the version of the program installed on the laptop, which also syncs with the Zotero in the cloud. I have tried to solve it, definitively, using the WD, the Microsoft Safety Scanner and Malwarebytes Free and uninstalling and reinstalling the Zotero "stand alone" from my laptop, but shortly after starting the Zotero the Trojan appears again, always in a folder with the same name hanging from root paths / Zotero

dstillman · June 18, 2021

That's just some code in a webpage snapshot from a webpage you saved to Zotero. It's not a problem in Zotero itself.

You can paste the 8-character folder name from 'storage' into the Zotero search bar in All Fields & Tags mode in the library root to find the attachment item in question, delete it, and empty the trash, and then sync. The item will then be deleted from all synced computers.

ffons54 · June 20, 2021

Thanks for the reply. I agree that it is not Zotero's own problem, it is related to its use. I have already made your proposal and the Trojan reappears, but this comment made me think of another possibility. About the object that serves as a vehicle for the entry of the malware, I have not deleted the container, which does have a link to a website. Tomorrow I will try deleting the entire container. I will do it first in stand-alone with the intention that it spreads through the rest of the systems. I'll let you know how the matter is.

ffons54 · June 20, 2021

I have removed the container and the infected file does not appear again at the moment (the link is to a US government website). In any case, I will wait a couple of days to confirm the final resolution. Thanks a lot.

dstillman · June 20, 2021

When did you save the attachment? I wouldn't expect this to happen with snapshots saved in the last six months or so, since we switched to a new method of saving snapshots that removes all JavaScript code on the page (which is where any malicious code would be).

ffons54 · June 21, 2021

Unfortunately it is. The snapshot date is March 2021. The website is at this root: www.dni.gob/

dstillman · June 21, 2021

Is that the full URL in question? If not, can you share the full URL, or email it to support@zotero.org with a link to this thread?

ffons54 · June 21, 2021

Thanks. I just sent to support, an email with the additional information.

dstillman · June 21, 2021

According to the information you sent, this isn't about a snapshot at all — it's about a PDF. (I can't comment on the merits of the warning. It might just be a false positive, but that's between you and Windows Defender.)

Anyway, as I said, you'd want to delete the attachment here, not just the file, and empty the trash after. Otherwise the file would just be downloaded again later when you synced, which is what you're seeing in the screenshots you sent.