Question about "OLE:RemoteTemplateInj [Trj]"

[guitarhero]

Hi,

I'm a longtime avast user, I recently ran a scan and I was surprised to find that my computer was infected with something called OLE:RemoteTemplateInj [Trj]. I quarantined it and just to be safe I changed my passwords. No other files on my computer were infected with anything.

There are a few odd things about this though: the infected file avast quarantined is a powerpoint file and it is not new (it's about 6 years old). I've run alot of avast scans since then and it's never found this file before and said it's malware. Also, I ran a scan with malwarebytes right before the avast scan and it said that there were 0 infected files on my computer. Could this be a false positive?

I was also wondering what the OLE:RemoteTemplateInj [Trj] basically was, could it only harm my computer if the file was opened by me?

[polonus]

Haven't we been there before but then with an AVG inheritance:
https://support.avg.com/answers?id=9060N000000Ph8mQAC

Just wait for a reply from avast team whether this is a genuine detection or a so-called false positive find.
It is only avast team that can come up with a decisive answer here.

polonus

[Asyn]

Test the file at VT (https://www.virustotal.com) and post the link to the result here.

[Pondus]

I was also wondering what the OLE:RemoteTemplateInj [Trj] basically was, could it only harm my computer if the file was opened by me?

https://blog.sunggwanchoi.com/remote-template-injection/

[DavidR]

Haven't we been there before but then with an AVG inheritance:
https://support.avg.com/answers?id=9060N000000Ph8mQAC

Just wait for a reply from avast team whether this is a genuine detection or a so-called false positive find.
It is only avast team that can come up with a decisive answer here.

polonus

That is a very old topic March 2018, so 4 years old.

That said, the location C:\Users\L***y\AppData\Local\Temp\_avg_\unp197163290.tmp\4.doc, based on the location and filename \unp197163290.tmp, this appears to be where temp downloaded files are scanned (same as in Avast).

This area however, is generally cleared after scans are completed successfully (see attached image), so other than the malware name, that may be the only coincidence.

@ guitarhero, we need a location of where this detection was made and the file name otherwise we are just guessing.
As for the malware name, just working from general computing knowledge, OLE (Object Linking and Embedding) would generally be found in the likes of a Word (or similar) Office type Document, to insert something into that document via the Remote Template Injection.
So something could be remotely embedded in the file/document.  What that might be I have no idea.

[guitarhero]

Thanks,

The file was located in my separate D: drive, which is not my main system (C: Windows) drive. I use the D: drive mainly for saving Microsoft Office documents, music and videos, so all the subfolders are created by me.

[DavidR]

You're welcome.

What caused the avast alert ?
e.g. were you running a scan of this separate D: Drive or were you running MS Office or opening that file ?

Is the .pptx a power point file (and had you just opened that) ?

If it is in quarantine (virus chest), then you can open the quarantine and upload it to Avast for analysis.  See attached image.

[guitarhero]

It's a regular powerpoint file.

I was just running a Avast Full Virus Scan. I tend to change some things around in settings like the sensitivity to make the scans more powerful (I guess). I also changed the scan so it scans all hard disks (both my C: and D: drive).

I never opened the file, I probably haven't opened this file in years (maybe close to 5 years).

I don't really need the file, so I guess I'm just wondering if I can just delete the file from quarantine and move on safe and sound or if I need to worry about anything else (I ran an Avast Full Virus Scan and Boot Time Scan afterwards and they showed up clean).

[DavidR]

A very long time ago I had old versions of MS Office executables get pinged as they weren't digitally signed.  These aren't the same as they aren't executable files so wouldn't be digitally signed.

Personally I don't run on-demand scans (outside of answering issues raised in the forums), with an on-access (resident) antivirus they are much depreciated.  If you create/download/run/open/modify a an executable file it will be scanned by the appropriate avast shield.  So for the most part files that are scanned in an on-demand scan would mostly be dormant.

Detection information is passed to avast, so that could have resulted in a change in the virus signatures, but that is beyond my knowledge as an Avast User not team member.

If the file is in quarantine then it is a) encrypted and b) the file name is also changed.  This prevents files in quarantine being recovered (unless restored from within quarantine) and obviously prevents them being scanned for outside quarantine.  So essentially no hits in your subsequent scans. If you extracted it from quarantine it would be rescanned (and may or may not alert) provided you didn't restore and add exception.

[guitarhero]

As for the malware name, just working from general computing knowledge, OLE (Object Linking and Embedding) would generally be found in the likes of a Word (or similar) Office type Document, to insert something into that document via the Remote Template Injection.
So something could be remotely embedded in the file/document.  What that might be I have no idea.

I was wondering, I never opened the powerpoint file (recently, anyways). Can a file infected with a Remote Template Injection affect a computer if the file hasn't been executed?

The reason I ask is because I have a backup external USB drive with my files on it, including a copy of this powerpoint. The only way I know of to get rid of the file would be to plug it into my computer (which would risk re-infecting my computer) and re-scan and delete the file. Of course, I would have to re-scan my computer too and so on...

However, if I only have to worry about the file when it's executed, I can just format the drive and move on.

 

[Pondus]

Did you read (clik the link) in my post above?

[DavidR]

As for the malware name, just working from general computing knowledge, OLE (Object Linking and Embedding) would generally be found in the likes of a Word (or similar) Office type Document, to insert something into that document via the Remote Template Injection.
So something could be remotely embedded in the file/document.  What that might be I have no idea.

I was wondering, I never opened the powerpoint file (recently, anyways). Can a file infected with a Remote Template Injection affect a computer if the file hasn't been executed?

The reason I ask is because I have a backup external USB drive with my files on it, including a copy of this powerpoint. The only way I know of to get rid of the file would be to plug it into my computer (which would risk re-infecting my computer) and re-scan and delete the file. Of course, I would have to re-scan my computer too and so on...

However, if I only have to worry about the file when it's executed, I can just format the drive and move on.

1.  That would be speculation, but it is possible or it could be a false positive, that is why I suggested you send it to Avast for Analysis and really is the first step you should take..

2.  Plugging in your external USB drive doesn't present an immediate risk (as the files on it aren't active).  Even rescanning the file wouldn't put you at risk, even if it were considered infected.

3.  No need to format the drive, the option is there to delete just the file.  Before going down any format/delete action, confirmation is the name of the game.

4.  If you actually created this then the risk is much less and may be more likely to be a false positive and why you should send for analysis.

[guitarhero]

Did you read (clik the link) in my post above?

Yes, I did, but I have to admit that quite a bit of it went over my head. Admittedly, I'm not the most knowledgable on these kinds of things so I figured I'd ask for clarification.

1.  That would be speculation, but it is possible or it could be a false positive, that is why I suggested you send it to Avast for Analysis and really is the first step you should take..

Thanks... yeah, I'm a little hesitant to send it for analysis because the file has some personal information. I'm not sure if Avast keeps the file or what is done with it. I'd just like to make sure if I send it for analysis that the information stays as secure as possible.

[Pondus]

Remote Template Injection

Microsoft Word has a feature where a user can create a document with a template. Whenever a Word document with a template is being written/read, this templates are being downloaded/used from the local, or remote machine. Thus, the attackers can host a  Word Document Template file (.dotm) with malicious macros on their servers. Whenever the victim opens the Word Document, the Document will fetch the malicious template from the attacker's server, and execute it.


The advantage of this technique is that the actual decoy Word document that touches the disk of the victim and read is not malicious. Thus, the chances of the  attachment bypassing Email Gateways and/or host AV/EDR solutions increases than the traditional malicious Word Document.


So you have to run the file for it to download the malicious content, and that also may be detected by avast

[DavidR]

<snip quote>

1.  That would be speculation, but it is possible or it could be a false positive, that is why I suggested you send it to Avast for Analysis and really is the first step you should take..

Thanks... yeah, I'm a little hesitant to send it for analysis because the file has some personal information. I'm not sure if Avast keeps the file or what is done with it. I'd just like to make sure if I send it for analysis that the information stays as secure as possible.

As an Avast User I can't say what is done in the 'virus labs' but I would say that it is pure analysis to determine if the detection was good or a false positive.  I can only assume that the file and its contents would be deleted after analysis, there would be little point in retention of files sent for analysis.

If you aren't prepared to send it, your only other option is to delete the copy that is in the quarantine and any other copy/copies you have on the external USB drive, which you have said you were considering formatting that drive.  This is way over the top, so deleting only that file copy would be your best option.