Trojan in email, but cannot access email

Discussions relating to ClamXav

Moderator: Mark

Trojan in email, but cannot access email

Postby merry » Wed 09 Jan 2013 4:54 pm

Hello,

I just ran a scan and found a bunch of errors with "heuristics.phishing.email.spoofeddoman" and one with "email.trojan-428". I tried to follow the recommended steps on opening it in my mail client and deleting it, but I can't! The email address it was sent to is a yahoo account, and apparently there's a huge number of yahoo mail accounts that were recently hacked. Since my account was hacked, I was able to reset my password but I think it was changed again because I've since become locked out. I can't get through to Yahoo support to get to my yahoo account. Is there anything else I can do to get rid of the file?

Also, related.. earlier I ran avast which detected a different infected file in my offline cache. I deleted it through avast and also went a little crazy and deleted a bunch of other messages in my offline cache. That file name was "Photo.zip#2635820934|>CAN037589.exe".

Any help is greatly appreciated. Apologies for excess/lack of details.

Thank you!
merry
 
Posts: 4
Joined: Wed 09 Jan 2013 4:37 pm

Re: Trojan in email, but cannot access email

Postby darmok » Wed 09 Jan 2013 6:22 pm

merry wrote:I just ran a scan and found a bunch of errors with "heuristics.phishing.email.spoofeddoman" and one with "email.trojan-428". I tried to follow the recommended steps on opening it in my mail client and deleting it, but I can't! The email address it was sent to is a yahoo account, and apparently there's a huge number of yahoo mail accounts that were recently hacked. Since my account was hacked, I was able to reset my password but I think it was changed again because I've since become locked out. I can't get through to Yahoo support to get to my yahoo account. Is there anything else I can do to get rid of the file?

Locate the offending messages *in your local mail client on your computer*. Don't worry about the copies up in Yahoo's servers - they'll get around to dealing with those eventually.

earlier I ran avast which detected a different infected file in my offline cache. I deleted it through avast and also went a little crazy and deleted a bunch of other messages in my offline cache.

In the future, if ClamAV misses something, please be sure to submit it to them, so they can add its signature to their database, http://cgi.clamav.net/sendvirus.cgi

HTH,
- Dan.
300-MHz G3 SmurfTower, 933-MHz G4 QuickSilver 2002, 2.3-GHz MacBook Pro i5, iPad 2, etc.
Mac OS 8/9, Panther, Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, & a Tonkinese.
darmok
 
Posts: 194
Joined: Wed 28 Jun 2006 6:46 pm
Location: South Jersey, USA

Re: Trojan in email, but cannot access email

Postby alvarnell » Wed 09 Jan 2013 6:32 pm

merry wrote:I just ran a scan and found a bunch of errors with "heuristics.phishing.email.spoofeddoman" and one with "email.trojan-428". I tried to follow the recommended steps on opening it in my mail client and deleting it, but I can't! The email address it was sent to is a yahoo account, and apparently there's a huge number of yahoo mail accounts that were recently hacked. Since my account was hacked, I was able to reset my password but I think it was changed again because I've since become locked out. I can't get through to Yahoo support to get to my yahoo account. Is there anything else I can do to get rid of the file?
First of all, no harm can come to you from any of those e-mails as long as you don't click on any links or open the attachment on email.trojan-428. It's OK to leave them there until you get your account straightened out. You could delete those files off your computer, but chances are they would just be re-downloaded again once you are able to log into Yahoo and you would need to rebuild the mailbox index after deleting them.

As you probably have already read, the ones marked "heuristics" are not positive ID's of infection, rather they are a guess based on something the scan engine found that looked suspicious. A couple of other users this month found that their American Express statements were being flagged because they had links to the AppStore and GooglePlay. You should definitely read those messages before deciding to delete them.

I was able to find an Email.Trojan-428 (capitalization is important) in the database. It's looking for the following
Code: Select all
To_receive_your_parcel,_please,_go_to{WILDCARD_ANY_STRING(LENGTH<=32)} nearest_office_and_show_this_receipt
except that I substituted "_" for spaces to prevent this reply from being flagged. It was added to the ClamAV database on Jan 2, 2013 as follows:
    Submission-ID: 90238727
    Sender: Fred de Brouwer
    Added: Email.Trojan-428
    Added: Win.Trojan.Kuluoz-18
This looks to be a Windows Trojan and there are only a couple of Trojans that will run on a Mac that are being sent to Tibetan sympathizers, so it's unlikely it could do anything on your Mac.
Also, related.. earlier I ran avast which detected a different infected file in my offline cache. I deleted it through avast and also went a little crazy and deleted a bunch of other messages in my offline cache. That file name was "Photo.zip#2635820934|>CAN037589.exe".
Sorry, but I don't have any personal experience with Avast. I know it has a great reputation on the PC side of the house, but I haven't found that any of the Companies that came out with a Mac version in the Spring have been shown to truely understand OS X yet. From the file name I can guess that it's something from a cannon camera. It's obviously a zip file and from the ".exe" I'd guess it's self extracting on a Windows machine. That's about all I can tell you.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.4 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4310
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Trojan in email, but cannot access email

Postby merry » Wed 09 Jan 2013 9:34 pm

Al & Dan,

Thank you so much for the quick responses! It sounds like I don't have to worry about "Email.Trojan-428" on my mac, but if we have a pc that uses the same wireless network should I be worried? I've been reading things about malware getting transmitted through a network.

I will be sure to submit undetected files for the database in the future.

I probably should've mentioned this earlier, but I'm extra paranoid right now since our online credit accounts were showing inaccurate last login timestamps, (though no unrecognized charges). We've since contacted them directly to change passwords,etc., but I'm not sure if the system that generated the timestamps is inaccurate, or if there's still something on our mac/pc that's been going undetected. I've read that a full scan of my hard drive is not recommended.. but should I do it? Or get a new computer? We are seriously considering the last option, but I feel like I also need to just close out these faulty yahoo accounts and change all of my passwords to everything on a new machine that's not on my network. And also never turn the pc on.. but it's a work computer!

I probably sound nuts. Sorry. Any additional thoughts are appreciated.

M
merry
 
Posts: 4
Joined: Wed 09 Jan 2013 4:37 pm

Re: Trojan in email, but cannot access email

Postby alvarnell » Wed 09 Jan 2013 10:11 pm

merry wrote:Al & Dan,

Thank you so much for the quick responses! It sounds like I don't have to worry about "Email.Trojan-428" on my mac, but if we have a pc that uses the same wireless network should I be worried? I've been reading things about malware getting transmitted through a network.
It can't transmit itself over your network, so you would have to either send it to the PC or use the PC to read that same e-mail.
I've read that a full scan of my hard drive is not recommended.. but should I do it?
Wouldn't hurt. The reason it's not normally recommended is that It can get into a loop sometimes, but most of those problems have been solved now. I would also recommend you not have any external drives attached when you scan your internal as that can cause issues. You can scan any external drives separately, except for backups (e.g. TimeMachine).
Or get a new computer?
You didn't mention what OS X you are running. Anything older than a fully up-to-date 10.6.8 is currently vulnerable to a few bits of malware. If you are using a PPC machine with 10.5.8 or less, you need to turn Java (not JavaScript) off in all your browsers. It's a good idea to do the same even on a newer OS as you never know when the next Java vulnerability will be exploited.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.4 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4310
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Trojan in email, but cannot access email

Postby merry » Wed 09 Jan 2013 10:25 pm

Thanks, Al - I feel much better!

I'm running 10.7.5 and am about to run a full scan.

Thank you Thank you!!!
merry
 
Posts: 4
Joined: Wed 09 Jan 2013 4:37 pm

Re: Trojan in email, but cannot access email

Postby darmok » Thu 10 Jan 2013 12:28 am

merry wrote:I probably should've mentioned this earlier, but I'm extra paranoid right now since our online credit accounts were showing inaccurate last login timestamps, (though no unrecognized charges).
You have a PC, so BE paranoid.
not sure if the system that generated the timestamps is inaccurate, or if there's still something on our mac/pc that's been going undetected.
Check the clock on each of your computers; make sure they're up to date. FWIW, I've seen borked time stamps from various sites recently. If the minutes are right, then the problem is usually a time zone issue +/- failing to remember daylight savings or not. If the minutes aren't right, then the server's clock is probably foo -- something common I think if they're running Windows. Either way, no big deal, as long as the transactions are ok.
I've read that a full scan of my hard drive is not recommended.. but should I do it?
On your Mac, eh. On your PC - do it regularly. There are rookits and such specifically designed to infect / take over the core of Windows. Only a full scan can find them, if at all.
Or get a new computer?
Loaded question - If you have Windows, then I would always recommend that you buy a new computer. A Mac, of course.
I feel like I also need to just close out these faulty yahoo accounts
I'm not fond of Yahoo or MS/Live/Hotmail email accounts. Seems like they're getting hijacked all too often. I use Gmail ... but then it's probably really not all that much safer. :?

I also live in a mixed household. Macs, PCs, iPads, and Android thingies. Our solution - take a deep breath, never use a credit card with a high limit over the 'net, use good passwords and change them monthly, and check your financial accounts now and then.

WRT your PC's security... Make sure the firewall is enabled and use a high quality active anti-virus. Avast is, IMO, mediocre. Read some tests recently where it only caught eighty-something percent of what was thrown at it. Products such as Trend Micro and BitDefender were highly rated, catching 98%+. Also add the free Spybot Search & Destroy - it catches other things.

been reading things about malware getting transmitted through a network.
The current trojan aside (See Al's reply), it can happen several ways:

Traditional -- The PC gets infected, then the virus scans the network to find other hosts to infect. That's why it's critical to keep your PC fully updated, to enable its firewall, and to use a good *active* AV package. (ClamAV is basically passive - it just scans the files you happen to throw at it. Products such as Trend Micro and BitDefender dig themselves deeply into Windows, to actively watch for much more.)

New -- Sharing files with a product such as Dropbox. Case in point: my home. We have Dropbox everywhere, and use it to pass files back and forth all the time. Works great! The down side - it's an easy 'gateway' for my PC usin housemate to put his garbage on my Mac! I donno why he can't manage to keep his AV package running. sigh. So, I have ClamXav Sentry watching my Dropbox (and its subfolders), and I have ClamXav do an extra/automated scan of it nightly. Now, when he sends me that cool but infected video, pdf, etc, ClamXav flags it immediately! And I don't have to worry about passing his malware to my friends...

fwiw,
- Dan.
300-MHz G3 SmurfTower, 933-MHz G4 QuickSilver 2002, 2.3-GHz MacBook Pro i5, iPad 2, etc.
Mac OS 8/9, Panther, Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, & a Tonkinese.
darmok
 
Posts: 194
Joined: Wed 28 Jun 2006 6:46 pm
Location: South Jersey, USA

Re: Trojan in email, but cannot access email

Postby darmok » Thu 10 Jan 2013 12:33 am

alvarnell wrote:Anything older than a fully up-to-date 10.6.8 is currently vulnerable to a few bits of malware.
Thought Clam caught all them.
If you are using a PPC machine with 10.5.8 or less, you need to turn Java (not JavaScript) off in all your browsers. It's a good idea to do the same even on a newer OS as you never know when the next Java vulnerability will be exploited.
The Java exploits have nothing to do with ppc vs x86 or even OS version. ALL the Java releases are exploitable. So regardless of platform, Turn Java *OFF*. And if you must use it for a particular task, then either turn it on for that one task then disable it, or - preferrrred - go find an alternative. heh. Apple deciding to not ship Java with OS X, I think, was one of the best things they could do. Just like they did with Flash.

- Dan.
300-MHz G3 SmurfTower, 933-MHz G4 QuickSilver 2002, 2.3-GHz MacBook Pro i5, iPad 2, etc.
Mac OS 8/9, Panther, Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, & a Tonkinese.
darmok
 
Posts: 194
Joined: Wed 28 Jun 2006 6:46 pm
Location: South Jersey, USA

Re: Trojan in email, but cannot access email

Postby alvarnell » Thu 10 Jan 2013 1:43 am

darmok wrote:
alvarnell wrote:Anything older than a fully up-to-date 10.6.8 is currently vulnerable to a few bits of malware.
Thought Clam caught all them.
There are maybe two that have been reported as being sent to Tibetan sympathizers which are in such low numbers that samples haven't shown up in any of the usual places. I don't recall their names at the moment, but at least one was a Universal Binary
If you are using a PPC machine with 10.5.8 or less, you need to turn Java (not JavaScript) off in all your browsers. It's a good idea to do the same even on a newer OS as you never know when the next Java vulnerability will be exploited.
The Java exploits have nothing to do with ppc vs x86 or even OS version.
The difference is that there are known threats, not just vulnerabilities out there which are capable of using the same Java vulnerability used by Flashback which is not patched on 10.5.8 for PPC and again at least one of them is a Universal Binary.
ALL the Java releases are exploitable. So regardless of platform, Turn Java *OFF*. And if you must use it for a particular task, then either turn it on for that one task then disable it, or - preferrrred - go find an alternative. heh. Apple deciding to not ship Java with OS X, I think, was one of the best things they could do. Just like they did with Flash.
I certainly don't disagree with this and recommend it myself as defense against the next exploited vulnerability. I was just trying to differentiate between an unexploited (to date) vulnerability and a known threat.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.4 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4310
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Trojan in email, but cannot access email

Postby merry » Thu 10 Jan 2013 5:57 am

This is great information, very helpful! I really need to be more on top of this stuff.

The full scan on my mac looked good so we are working on making sure the pc is (more) secure. This whole experience has been a great reminder to be a more aware user! I never knew about this java stuff before, either - I immediately disabled it.

Thank you, Dan & Al! I really appreciate your help!
merry
 
Posts: 4
Joined: Wed 09 Jan 2013 4:37 pm

Re: Trojan in email, but cannot access email

Postby alvarnell » Sat 09 Mar 2013 2:11 am

I ran across this article, published today, which gives a detailed explanation of what that Trojan you found is capable of Sinkholing of Trojan Downloader Zortob.B reveals fast growing malware threat.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.4 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4310
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA


Return to ClamXav

Who is online

Users browsing this forum: No registered users