Swiftfile Plus Anti-Virus: A Nearly Untraceable Problem

Late last night I suddenly started getting warning dialogs from Norton Anti-Virus, each one telling me that a copy of MyDoom.m@mm had been detected and deleted. Now, due to the small size of the dialog and the long length of typical pathnames on a modern Windows system, the full path of the deleted file was not visible and since I was doing nothing on my computer that should have been causing files to be saved to disk at the time, I assumed that a trojan horse had somehow been installed and activated.

I didn't see anything suspicious in the task list, but better safe than sorry, so I immediately updated my virus definitions, downloaded a removal tool for MyDoom, then rebooted into safe mode and ran the tool first, and then a full virus scan. Both the removal tool and the full scan came up clean. I rebooted again, and shortly afterward the warning dialogs started coming up again. I realized at this point that I was not infected with MyDoom, but by all appearances something was trying very hard to infect me, and whatever the attack vector was, it was not known to the current NAV virus definitions.

I started researching MyDoom to learn about how it spread, and I started manually searching for filenames, registry keys and other indicators, but also came up empty. I checked the open TCP/IP ports via netstat -a but didn't find anything suspicious. I re-checked the task manager, enabling the columns that display disk i/o and watched, but didn't see anything suspicious.

Somewhere along the line, I shut down the Notes client, and the warning dialogs stopped. I restarted Notes, and they restarted.... without my doing anything at all in the client!

At this point, I also managed to finally track down the location where the files were being saved. It was in C:\Documents and Settings\Richard Schwartz\Local Settings\Temp\notes21B137. Although I have no idea what directoies with that particular naming convention are used for, that at least confirmed that Notes was involved somehow.

Well, we all know that there's no such thing as a email-borne virus that is activated simply by opening your mail client, and I have no rules or agents configured to run locally, but at this point I'd ruled out a lot of ordinary things, so I expected that I might be facing something extraordinary. I went to sleep figuring that I'd refresh my virus definitions in the morning, do another full sweep, and if it came up empty I figured I'd be on the phone with Symantec for a good part of the day.

Come morning, and not looking forward to the prospect of getting onto the phone with Symantec, I decided to at least try and see which of the Notes client tasks was apparently doing the i/o operations that were detaching the file. After about five minutes of staring at the task manager, I determined that the only task doing any significant disk i/o was swiftsrv.exe. Now it began to make sense.

Perhaps an hour before the warning messages started appearing, I had cleaned out my inbox. I do that by going through it and filing messages in the appropriate folders, and then the final step is to take all the unfiled messages and move them to the "Miscellaneous" folder. An infected email message must have gone un-noticed. In the Inbox it was innocuous enough, but once it was moved to a folder Swiftfile wanted to look at it so it could improve it's classification database. Of course, NAV was deleting the file as soon as it was created, causing Swiftfile to fail. The final piece of the puzzle: Swiftfile was restarting after the failure, trying to process the same message.

Sure enough, in the Notes log, I found the following:

09/22/2004 09:52:03 AM SwiftFile: CN=xxxxxxxx/O=yyyy/C=US MAIL\abcdefgh.nsf ERROR: Could not process folders. Error text: File does not exist

I disabled Swiftfile. It required a reboot to convince it not to restart itself when I restarted the Notes client, but I got the warning messages to stop. Then I went through my Miscellaneous folder looking for the infected message, which I finally found.

A couple of lessons here:. First, desktop anti-virus protection kept me safe, but it didn't make it easy to track the source of infection. Even in the case of a very small business, an anti-virus solution integrated with the mail server is a must. I'm putting it on my list. Second, Swiftfile did nothing to make it easy to track down the problem either. It ran silently in background, never alerting me to the fact that it was encountering a repeated problem. Even the log entry is insufficient, because it doesn't identify the messsage that caused the problem. It doesn't even identify the folder.