How to find the identity of an infected Outlook 2011 email?

Discussions relating to ClamXav

Moderator: Mark

How to find the identity of an infected Outlook 2011 email?

Postby Ugly56 » Sat 23 Feb 2013 3:12 pm

.
I have searched and searched, and I cannot find any explanation here about how to identify Outlook 2011 (current v. 14.3.1) emails that ClamXav (current v. 2.3.4) has designated as infected. I use Outlook on both my Mac OS 10.6.8 iMac and 10.8.2 MacBook Pro to access my Gmail account in IMAP mode. In the last few days ClamXav Sentry has alerted me once on each machine with the following popup warning about an infected email:

ClamXav Sentry has detected a virus
/Users/jayBo/Documents/Microsoft User Data/Office 2011 Identities/
Jay Boshara/Data Records/Message Sources/0T/

Annoyingly, these warnings did not give the full file path, so I cranked up ClamXav and scanned my Microsoft User Data folder. ClamXav found a file named x27_3757.olk14MsgSource with an ‘Infection Name’ of ‘Heuristics.Phishing.Email.SpoofedDomain’ (which yielded nothing when I searched that term at http://clamav-du.securesites.net/cgi-bi ... =signature). Upon right-clicking the file in the ClamXav window and selecting ‘Reveal In Finder,’ I discovered that its full path is /Users/jayBo/Documents/Microsoft User Data/Office 2011 Identities/Jay Boshara/Data Records/Message Sources/0T/0B/0M/3k/x27_3757.olk14MsgSource . Unfortunately, knowing the file name and location does not get me any closer to discovering the Subject of the email so I can find and delete it :(. Furthermore, double-clicking on the infected file in the Finder does not open it as an Outlook email but instead only starts a new email and attaches the infected file to it — a bizarre default behavior, if you ask me. Double-clicking on that new email’s attachment doesn’t help either — it just starts another new email and attaches x27_3757.olk14MsgSource to that one too. It should be noted that this email’s file name does not have an extension (even in its ‘Get Info’ data), and double-clicking it did not automatically open it in Outlook but rather opened a Finder dialog for me to choose which application to open it with (“Ending a sentence with a preposition is something up with which I will not put” — Winston Churchill).

While reading virtually every post on this board that includes the word “Outlook,” I did discover two important things to keep in mind once the identity of an infected Outlook email has been determined: 1) In order to avoid corrupting the Outlook database, I cannot just delete the file in the Finder but rather must delete the email itself from the Gmail server; and 2) When deleting the email from the server, I must do so from the Gmail website rather than via Outlook (I’m not sure why).

So, does anyone know how to determine the Subject or any other identifying parameter of an Outlook 2011 email from nothing more than its file name? Thanks.
.
Ugly56
 
Posts: 8
Joined: Thu 05 Nov 2009 1:42 am
Location: Southern California

Re: How to find the identity of an infected Outlook 2011 ema

Postby alvarnell » Sun 24 Feb 2013 1:22 am

Let me start by assuring you that the potentially infected e-mail is of no danger to your OS and may not even be a phishing attempt. Perhaps you have already run across this during your searches, but the word Heuristics means that there was no exact match to a signature. It is an e-mail associated with a financial institution that contains a hyperlink who's format appeared suspicious to the Heuristics scanner in that the visible portion did not match the url of the site at which you would find yourself if you clicked it. It's not unusual for such a link to be legitimately directed to a third party site, but it could also be a fake site designed to get you to give up privacy information. The bad news is that you cannot use a specific string to find it.
Ugly56 wrote:I have searched and searched, and I cannot find any explanation here about how to identify Outlook 2011 (current v. 14.3.1) emails that ClamXav (current v. 2.3.4) has designated as infected.
I'm only passively familiar with Outlook, although I had planned to spend today migrating to a new Mac and upgrading from Entourage 2008 to Outlook 2011. About all I know about it is that e-mails seem to be stored as a combination of individual files and a large database. Had it still been of the old monolithic database only, chances are good it would have been too big to scan and you would never have been notified.
In the last few days ClamXav Sentry has alerted me once on each machine with the following popup warning...Annoyingly, these warnings did not give the full file path
Popups are limited in the number of characters they can contain. The full path is available in the ClamXavSentry-scan.log which can be opened from the Sentry menu icon.
Unfortunately, knowing the file name and location does not get me any closer to discovering the Subject of the email so I can find and delete it :(. Furthermore, double-clicking on the infected file in the Finder does not open it as an Outlook email but instead only starts a new email and attaches the infected file to it — a bizarre default behavior, if you ask me.
I am not certain what that file actually is. It could be some portion of the e-mail or perhaps an attachment to it. If I were you I would attempt to open it with a text editor to see if there's enough text to make it identifiable. Based on the infection name, it almost certainly would have the hyperlink listed.
I did discover two important things to keep in mind once the identity of an infected Outlook email has been determined: 1) In order to avoid corrupting the Outlook database, I cannot just delete the file in the Finder but rather must delete the email itself from the Gmail server; and 2) When deleting the email from the server, I must do so from the Gmail website rather than via Outlook (I’m not sure why).
I'm not sure either, but I have an inactive g-mail account required in order to use other Google capabilities and have proven to myself that it works that way. There is actually only one copy of each e-mail on the server and it lives in the "All Mail" folder. It seemingly can be moved to a real Trash folder, but anywhere else it appears is simply one or more labels that have been applied to the file. When you delete a file from the Inbox, you are only deleting it's label. When I delete a file from the "All Mail" folder using Entourage it disappears momentarily, but shows back up the next time I check mail. When I go through webmail it moves to the Trash and then I can permanently delete it there.

About the only other recommendation I can give you is to take a look in "All Mail" for anything you have previously deleted as junk/spam/phishing and see if it's still there.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.2 / ClamXav 2.3.6 (AppStore) w/ClamAV® 0.98 & 2.6.2 w/ClamAV® 0.98.1
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4061
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: How to find the identity of an infected Outlook 2011 ema

Postby alvarnell » Sun 24 Feb 2013 8:05 am

I think I may have figured out how to permanently delete Gmail files, but it wasn't exactly intuitive.

I logged on to the Gmail server and selected SETTINGS under the gear menu.

I disabled POP (probably not necessary, but I didn't see any reason to have it active as long as I was using IMAP)

I selected "Auto-Expunge-off" which gave me access to the next set of options.

Under "When a message..." I selected "Immediately delete forever..." (or I could have had it moved to Trash)

Saved the settings and logged off.

When I went back to Entourage and deleted a sent message from the All Mail folder that I no longer wanted to keep it did not return.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.2 / ClamXav 2.3.6 (AppStore) w/ClamAV® 0.98 & 2.6.2 w/ClamAV® 0.98.1
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4061
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: How to find the identity of an infected Outlook 2011 ema

Postby Jim babcock » Mon 25 Feb 2013 11:29 pm

Al: Thanks so much for your Gmail detective work.

The owner of my main email account uses the Gmail.app to host all our Email accounts. (Cost=$5/mon)
He is researching how to host our Web Site there as well.

My imap account DOES have a Gmail ALL mailbox. When I would delete in my STD Gmail Inbox, all of them would re-appear in the Gmail ALL mailbox.

I used your scheme, reset the Auto-Expunge option and asked for "immediately delete forever'.

(I first tried Trash but that is Gmail Trash… and still had messGES re-appearing .. so retreated to "immediately…)

Now I delete messages and they are GONE!..

Cheers, Jim b
V2.6.2 + ClamAV® 0.98.1 + Sentry 2.8
OS 10.8.5/24" iMac/4GB/VMWare 5.0.3 w/W2K,Win7x64
Jim babcock
 
Posts: 314
Joined: Sun 04 Jun 2006 2:51 pm
Location: Round Rock, Texas


Return to ClamXav

Who is online

Users browsing this forum: No registered users