Lotus Notes R8.5.1: Trojan Horse and Virus Tag Team vs. Eclipse … Guess Who Wins?
Filed Under (Lotus Notes) by Marc Champoux on March-18-2010

Trojan Horse and Virus: 1 … Eclipse: 0 …
   

Yesterday, me and one of the guys from the lan admin team worked on a weird issue on the laptop of another VIP in our company (yes, it does sounds like  my company has tons of them … more on that in the Addendum #2 at the bottom). Basically, we were beating our heads against the very sharp corner of that VIP desk trying to figure out why Lotus Notes R8.5.1 Standard wouldn’t start. 
  
The “symptoms” were very simple: we’d click on the icon to start Lotus Notes R8.5.1, the splash screen would appear, the progress bar would then show up in the upper right corner [of the splash screen] … and, then, everything would stop right there. Nothing else would happen. No disk activity either. No task going nuts in the Task Manager. Nothing at all except dead silence.
  

What Did We Try Before Figuring It Out?
  

Before we figured out what was causing the issue (i.e. a combo of trojan horse and virus), we tried the all the usual stuff in the book …
   

- Run NSD to get more info and open a PMR with Lotus Support.
- Run the ISA collector (startcollector.bat) somewhere in the Framework folder and add it to the PMR.
- Rename the “\Data\Workspace” folder to create a fresh one on the next start up.
- Rename the bookmark.nsf database … just in case we are dealing with some weird corruption.
- Delete the cache.ndk … because you never know when it helps or not but it feels good to delete something anyway.
- Rename the “\Notes\Framework” folder and then copy the Framework folder from another *working* machine with the same version (FP1 was also installed on that machine so we made sure to pick the Framework folder from a computer with FP1 (this sounds like the Eclipse equivalent of a brain transplant if you ask me).
- Copy the notes.ini to another location and remove all the lines (except the first two lines) … but that didn’t fix it either so we putted it back to the way it was.
  

Oddly enough … R8.5.1 Basic Works!
   

While Lotus Support was going over the gazillion files I had sent them, the rep asked “Did you try to launch it in Basic mode?”. The answer was “No … let me try”. So, to our amazement, Notes R8.5.1 started up in Basic Mode! The VIP was happy for a few moments … until it dawned on him that he was looking at an R7ish interface. On my side, I was shocked and surprised (to say the least).
   
So after this, I knew I was dealing with something really weird in Eclipse (but I didn’t know yet it was a combo of trojan horse + virus).
   

In The Meantime … 
  

That was yesterday. Lotus Support is still looking at the the files I uploaded to them and I haven’t heard anything about it … however, the VIP did call back the lan admin guy and asked him for help with *other* issues he had … with Internet Explorer.
  

CSI 101 … or The Clues Will [Usually] Lead Back To The Killer …
  

So, the lan admin went back to the desk of the VIP to help him out. Once he got there, the VIP explained that some websites weren’t loading up properly and others would simply not diplay properly. The lan admin did a few checks and noticed that the VIP had about 5 different Internet Explorer toolbars installed. Knowing that having 5 different toolbars installed is the computing equivalent of begging for trouble, he proceeded to remove them all. That didn’t resolve everything however.
   

Then he had a flash of Genius and he ran a scan using the “Malwarebytes’ Anti-Malware” software. And to his surprise (and mild horror), the computer of the VIP pretty much had the whole gammut of bad things that a computer can get: memory modules infected, registry values infected, registry data infected and files infected. Oddly enough, Symantec Antivirus on that machine was in a buddist zen like state (or high-as-a-kite on whatever computers get high on) and wasn’t reporting anything bad. Here’s a small example from the log of the Malwarebytes Anti-Malware log:
  

 

 
   

 
  

Removing the Malware fixed it!
   

Yep, once the viruses and trojan horses were removed from the system, Lotus Notes R8.5.1 worked like a charm! One happy VIP … for today anyway (you know how it goes … hero one day, zero the next).
   

Conclusion?
  

The Eclipse based interface has allowed the team at Lotus to extend Notes in so many ways that the community is still discovering each and every day new things to do with it. And we all love it for that. However, back in “Pre-Eclipse” days (I refer to them as the “R7 days”) , the worst I had I seen with viruses and trojan horses affecting Lotus Notes was the good ol’ “The TCPIP Stack has run out of memory” (which was a clear indication you had a virus). They were rare but I saw one of those almost once per year. So whatever this trojan horse and/or virus was doing on this system, it was doing something that Eclipse (or parts of Eclipse) really didn’t like at all (maybe like blocking certain ports or using them … I have no idea).
  

So, to me at least, it appears that the Eclipse based framework on top of which is now based our beloved groupware solution (client side anyway)can be both a blessing  because of all the good things that it allows us to do and a curse because it introduced a new point of failure and “vector of attack” for viruses. Am I right? Am I wrong? Heck, I hope I’m really really really wrong.
 

Thanks for reading!
  

Marc
  

Addendum #1 – Aftermath
 

I asked the antivirus team in our company to check why Symantec Antivirus for Windows had not detected the virus and prevented it … I haven’t heard back from that team. Needless to say, the VIP has learned his lesson and will not be installing new toolbars when he gets prompted for that (even if it looks really cool and awesome). Anyway, he’s been reduced from “Administrator” to “Power User” on his machine (he had Admin before for a reason which is beyond me and completly beyond my control).
  

Addendum #2 - Why VIPs?
  

Lotus Notes R8.5.1 is pretty … and we started by upgrading just a few VIPs in our company. But, usually, after any of the other VIP sees how nice and beautiful the new interface is, they want it. And they want it now too! So, thanks to Smart Upgrade, it’s spreading slowly but surely from the top of the pyramid down to the bottom.

(2) Comments    Read More


Comments
Phil Salm on March 18th, 2010 at 5:14 pm #

I had a very similar experience with Symantec. No reports of anything bad, then my PC was essentially unusable and some virus claiming to be Windows defender wanted me to run it. Ultimately took rebooting in safe mode and running Malwarebytes (which similarly found tons of things removed them) to correct the problem.

Felice G on April 20th, 2010 at 8:17 am #

Had sort of the same issue, but it was a corrupt Workspace directory. Once I deleted the directory, Notes started up in Standard version. BTW, Basic version ran fine either way.

Post a comment
Name: 
Email: 
URL: 
Comments: