Instructions for identifying infected emails

Discussions relating to ClamXav

Moderator: Mark

Postby fredct » Sun 11 Feb 2007 6:11 pm

I'm having the same problem.

ClamXAV has identified an email virus, and I run it through your tools to find the string of text. But when I search my email box, nothing comes up.

Now it seems to me that its quite likely that I deleted the email a while back. I tend to keep my email box free of all junk/spam, etc, deleting it the same day, if not the same hour, that I see it.

But I'd bet the attachment is just still hanging around in the files somewhere. I tried 'Compact Mailbox' (I'm using Thunderbird), which was a darn good idea. But still the scan picks up the same file.


If its on your list at all to add the ability to remove just one file within a mailbox, that would be great :) Any other suggestions would be good too.
fredct
 
Posts: 29
Joined: Sun 11 Feb 2007 4:21 pm

Re: Instructions for identifying infected emails

Postby iainciotach » Sun 24 Jun 2007 6:33 pm

I ran this through the database:
Exploit.IFrame.Gen

It identified this string: 696672616d65207372633d{-4096}6369643a{-8192}6865696768743d{-4096}2077696474683d{-1024}2f696672616d65{-4096}2f424f44593e3c2f48544d4c3e{-512}436f6e74656e742d??7970653a2061

I ran it through the Hex/Ascii converter and got this:
iframe src=?@??6?C????height=?@???v?GF?????/iframe?@???$?E?????D??????6??FV?B????S???

I searched my emails for iframe & height and got nothing.

One item was in the Trash and when I rescanned after emptying it, ClamX said it was still there.

I read the forum on this topic and decided I must be doing something wrong.
Ged theirteadh rium an cù, cha bu mhi ach smior a'mhadaidh.
iainciotach
 
Posts: 1
Joined: Sun 24 Jun 2007 5:57 pm
Location: Dallas, Texas, USA

Postby jrethorst » Sat 01 Sep 2007 4:16 am

Works! ClamXAV found "WScr" in a Eudora mailbox text file. The data is

656e74697469657327293b7362663d666c2e537562466f6c646572733b
666f7228766172206d79653d6e657720456e756d657261746f72287362
66293b216d79652e6174456e6428293b6d79652e6d6f76654e65787428
29296964643d6d79652e6974656d28293b6964733d6e65

which in ASCII is

entities');sbf=fl.SubFolders;for(var mye=new Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=mye.item();ids=ne

part of a bunch of HTML. Easy to find and delete in TextEdit.

Bless you folks.

John

[Edited by Mark: The data had to be split onto four lines to prevent the page going unbearably wide]
jrethorst
 
Posts: 8
Joined: Thu 30 Aug 2007 11:40 pm

Postby jrethorst » Fri 21 Sep 2007 3:43 am

I installed the Applescript to scan incoming emails (Mail 2.1, OS 10.4.10). It slowed receiving mail down substantially and, occasionally, a dialog would report that Mail could no longer function since my Home Directory was full (!), with the only button in the dialog saying Quit. I'd click that button, restart Mail and Get Mail again, and it would usually work. So I've deactivated the Applescript. I still have Sentry running, checking downloads to the desktop (default location), and that runs fine.

I know Mark didn't write the Applescript. Has anyone else had problems with it?

John
jrethorst
 
Posts: 8
Joined: Thu 30 Aug 2007 11:40 pm

Postby woser » Sun 21 Oct 2007 8:46 pm

What do you do after getting the hex to ascii translation?
woser
 
Posts: 1
Joined: Sun 21 Oct 2007 8:36 pm

Postby diem » Wed 24 Oct 2007 10:16 pm

woser,

you use your email program's search facility to find that string in whichever mail folder ClamXav said was infected. It's usually a good idea to use a sensible substring of the ASCII, so as to make a less specific but still useful search.
ClamXav v1.0.8 / clamav 0.93.3 on OS X 10.4.11/PowerBook G4
diem
 
Posts: 568
Joined: Sun 18 Feb 2007 6:15 pm

No Trojan.Dropper-4027 in signature database

Postby r_wolfcastle » Wed 06 Feb 2008 10:44 pm

I'm getting a zillion notifications of Trojan.Dropper-4027 in my Thunderbird Inbox, but a search for "Trojan.Dropper" in the ClamXav database turns up everything but 4027. I've tried Googling elsewhere to find the signature to no avail. Any ideas on where to find the signature?

Of course, I don't get annoyed by these virus messages for very long, because after a short while ClamXav Sentry crashes. Guess it is time to search around and find out where to send the crash log...
r_wolfcastle
 
Posts: 2
Joined: Wed 06 Feb 2008 10:31 pm
Location: San Jose

Removing infected files

Postby mandehu » Mon 25 Feb 2008 5:18 am

OK, I have found (and converted) the enigmatic virus/spoof and then searched the corresponding mailbox. However the ASCII (and its parts) give me *nothing*.
And BTW using VirusBarrier limited version says "no virus found".
So where do I go from here? Sorry if this is a RTFM (where *is* TFM?).

20' iMac Intel Core 2 Duo, Tiger 11, Thunderbird version 2.0.0.9 (20071031)
mandehu
 
Posts: 8
Joined: Sat 03 Mar 2007 9:45 am

Postby diem » Mon 25 Feb 2008 8:11 am

You could implement incoming email virus scanning, then when you assign the the rule in Mail and it asks you "do you want to run this rule against existing Mailboxes" you say yes. The upshot will be that any emails with suspicious content will have "VIRUS" prepended to their subject lines, meaning you can use Mail's search feature to find and delete said emails.
ClamXav v1.0.8 / clamav 0.93.3 on OS X 10.4.11/PowerBook G4
diem
 
Posts: 568
Joined: Sun 18 Feb 2007 6:15 pm

Postby mandehu » Mon 25 Feb 2008 1:20 pm

diem wrote:You could implement incoming email virus scanning, then when you assign the the rule in Mail and it asks you "do you want to run this rule against existing Mailboxes" you say yes. The upshot will be that any emails with suspicious content will have "VIRUS" prepended to their subject lines, meaning you can use Mail's search feature to find and delete said emails.


You have not read my posting: I use *Thunderbird* not Mail.
mandehu
 
Posts: 8
Joined: Sat 03 Mar 2007 9:45 am

Postby diem » Mon 25 Feb 2008 1:39 pm

Okay, okay, keep you hair on :D

Does Thunderbird have some form of mail-filtering-rules system? If so, write a rule for Thunderbird to invoke the Applescript and you're still good to go; my howto is mail client agnostic.

mandehu wrote:the enigmatic virus/spoof

Could you quote the virus found? That might help folk here comment. It's no biggie that VirusBarrier didn't detect it - not all virus scanners look for email-content malware so perhaps VirusBarrier was simply not looking for this type of item.

Another angle is this - don't bother to find the offending email. If this is a Javascript/HTML frame spoof mail then it can't do you any harm as is anyway. Just don't click on any URLs in HTML emails EVER.

BTW this thread is the nearest thing to the FM for the topic of identifying which mail is virus-infected so fear not, you have RTFM ;)
ClamXav v1.0.8 / clamav 0.93.3 on OS X 10.4.11/PowerBook G4
diem
 
Posts: 568
Joined: Sun 18 Feb 2007 6:15 pm

Postby mandehu » Mon 25 Feb 2008 4:33 pm

diem wrote:
Does Thunderbird have some form of mail-filtering-rules system? If so, write a rule for Thunderbird to invoke the Applescript and you're still good to go; my howto is mail client agnostic.

mandehu wrote:the enigmatic virus/spoof

Could you quote the virus found? That might help folk here comment. It's no biggie that VirusBarrier didn't detect it - not all virus scanners look for email-content malware so perhaps VirusBarrier was simply not looking for this type of item.

Another angle is this - don't bother to find the offending email. If this is a Javascript/HTML frame spoof mail then it can't do you any harm as is anyway. Just don't click on any URLs in HTML emails EVER.

BTW this thread is the nearest thing to the FM for the topic of identifying which mail is virus-infected so fear not, you have RTFM ;)

1. Thunderbird has a rudimentary mail-filtering system. AFAIK cannot use AppleScript which I am not savvy in anyway.
2. There are several virii/phishing found eg:
Email.Phishing.DblDom-39
Email.Webaccount-11
mandehu
 
Posts: 8
Joined: Sat 03 Mar 2007 9:45 am

Trojan.Dropper-4614

Postby beliarus » Mon 03 Mar 2008 9:15 pm

Hello everyone,

The virus database can't find the found "Trojan.Dropper-4614" and I would definitely like to know which email is infected in my Thunderbird Mbox file.

Could someone please help me out ?

Thanks in advance,

Beliarus
beliarus
 
Posts: 4
Joined: Mon 03 Mar 2008 9:10 pm

Postby zeeball » Tue 25 Mar 2008 4:26 pm

It fails if you do not remove the space added to the end when copy/pasted.
"HTML.Phishing.Bank-246" vs "HTML.Phishing.Bank-246 "
zeeball
 
Posts: 1
Joined: Tue 25 Mar 2008 4:23 pm
Location: Raleigh, NC

E-mail Virus

Postby c308682 » Thu 11 Jun 2009 1:24 am

From the original post in the thread - how does that process differ from what the Sentry does in protecting from e-mail-borne viruses?

What say?

Coincidentally, after I updated to v.1.1.1 then I get ~5 notifications that infected e-mail msgs were sent to the trash. The file name in the trash is assigned by clamXav (I'm assuming) and I don't open it because that's the whole point of e-mail virus protection (I think).

Feedback?

Thanks all
c308682
 
Posts: 3
Joined: Sat 28 Jan 2006 3:53 pm

PreviousNext

Return to ClamXav

Who is online

Users browsing this forum: No registered users