Instructions for identifying infected emails

Discussions relating to ClamXav

Moderator: Mark

Re: Instructions for identifying infected emails

Postby hoosiercatguy » Sat 29 Aug 2009 6:30 am

Mark wrote:Here's a method for weeding out virus infected emails from your mailbox. I'll take you through an example of searching for the phising email HTML.Phishing.Bank-246

Copy and paste that name into http://clamav-du.securesites.net/cgi-bin/clamgrok?display=virus&display=signature and hit submit.

This gives you a list of matching viruses/threats. In this case, there is only one result:
HTML.Phishing.Bank-246 3:*:6c696e6b2062656c6f7720616e64207375626d69742061732077652061726520747279696e6720746f2076657269667920796f7572206163636f756e7420696e666f726d6174696f6e2e2028696e206361736520796f7520617265206e6f7420656e726f6c6c6564

The section above which we're interested in is in bold. This is known as the virus signature and is encoded as a hexadecimal string.

First we need to translate it to ASCII (actual words) using the following website: http://www.dolcevie.com/js/converter.html .

Paste the long hexadecimal text into the top (Hex) box and click the "Hex to ASCII" button. What appears in the bottom (ASCII) box is the text that you need to search for in your email client, in this case
Code: Select all
link below and submit as we are trying to verify your account information. (in case you are not enrolled



Mark:

It seems that this requires the user to know the signature of each possible virus in order to search for that virus in an e-mail message(s). Is that correct? If so, is there a way to let ClamXav automatically search for viruses without my needing to know (and manually enter) enter the virus signature, myself?

Thanks, in advance, for your help.
Karl Henry (Indianapolis, IN)
IU grad (B.S., M.A., M.P.A.)
iMac -May 08 3.06 GHz. OS X 10.5.8
* I'm on Facebook, Twitter Social Network, and various smaller social networks on the ning platform
hoosiercatguy
 
Posts: 2
Joined: Thu 27 Aug 2009 3:56 am
Location: Indianapolis, IN

Re: Instructions for identifying infected emails

Postby alvarnell » Fri 04 Sep 2009 10:58 pm

Everybody else seems pre-occupied with v2.0.x, which is working perfectly in Tiger, so it looks like you're stuck with my answers, again.
It seems that this requires the user to know the signature of each possible virus in order to search for that virus in an e-mail message(s). Is that correct? If so, is there a way to let ClamXav automatically search for viruses without my needing to know (and manually enter) enter the virus signature, myself?

ClamXav will automatically search for signatures in e-mail messages, provided you have it turned on in the preferences. What it won't do is tell you which message contains the signature it found. The description in the previous message explains how to track down the message that contains the virus so that you can delete it.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OS X 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.5, 10.13.6 & 10.14.3/ClamXAV v3.0.9 (7713)/0.100.2_01
alvarnell
Site Admin
 
Posts: 5507
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Instructions for identifying infected emails

Postby syncrasy » Fri 29 Oct 2010 2:09 pm

iainciotach wrote:I ran this through the database:
Exploit.IFrame.Gen

It identified this string: 696672616d65207372633d{-4096}6369643a{-8192}6865696768743d{-4096}2077696474683d{-1024}2f696672616d65{-4096}2f424f44593e3c2f48544d4c3e{-512}436f6e74656e742d??7970653a2061

I ran it through the Hex/Ascii converter and got this:
iframe src=?@??6?C????height=?@???v?GF?????/iframe?@???$?E?????D??????6??FV?B????S???

I searched my emails for iframe & height and got nothing.

One item was in the Trash and when I rescanned after emptying it, ClamX said it was still there.

I read the forum on this topic and decided I must be doing something wrong.



Have you received any answers to this post?

I have a similar problem with my Eudora. I searched the infected mailbox for "iframe" and found three emails. I deleted them. I then re-scanned the computer and received the same notice (Exploit.IFrame.Gen FOUND). But when I searched the infected mailbox for "iframe" there were no search results. I searched for other text strings (for example, "height" and "@???") and found many results, but I think those are false positives since those text strings are probably very common and normal.

Mark, any ideas?
ClamXav v1.1.1 (185) | PowerMac G5 | Mac OS 10.4.11
syncrasy
 
Posts: 2
Joined: Fri 29 Oct 2010 1:59 pm

Postby IronTooth » Fri 29 Oct 2010 3:40 pm

These observations about deleted messages still showing up in scans may be related to how the email program manages its deletions. If you have a mailbox file containing the messages, and an index file pointing to the messages in the mailbox file, the message may be 'deleted' from the index, but not removed from the mailbox file until the mailbox is compacted or otherwise rebuilt to regain space taken up by the 'deleted' messages.

In this scenario, you can 'delete' the email so that it doesn't show up in the email program, but it will still show up in a virus scan, until the email program does its maintenance on the mailbox file.

I've seen this when importing messages from Thunderbird to another mail program that reads the mailbox file directly. If I don't compact the mailboxes in Thunderbird, 'deleted' messages get imported into the other mail program.

HTH...
- Don
IronTooth
 
Posts: 22
Joined: Sun 26 Feb 2006 1:03 pm

Postby syncrasy » Fri 29 Oct 2010 5:38 pm

IronTooth wrote:These observations about deleted messages still showing up in scans may be related to how the email program manages its deletions. If you have a mailbox file containing the messages, and an index file pointing to the messages in the mailbox file, the message may be 'deleted' from the index, but not removed from the mailbox file until the mailbox is compacted or otherwise rebuilt to regain space taken up by the 'deleted' messages.

In this scenario, you can 'delete' the email so that it doesn't show up in the email program, but it will still show up in a virus scan, until the email program does its maintenance on the mailbox file.

I've seen this when importing messages from Thunderbird to another mail program that reads the mailbox file directly. If I don't compact the mailboxes in Thunderbird, 'deleted' messages get imported into the other mail program.

HTH...


Ahhh... thank you.

I had forgotten how to do this. In Eudora for Mac, there is no "Compact" command in the menus, but I found the solution on the Web: open the mailbox then click the little box in the lower-left corner (the area with the message count/size numbers in it). This hidden technique will permanently remove deleted messages. (You can see the right-most number become '0').
ClamXav v1.1.1 (185) | PowerMac G5 | Mac OS 10.4.11
syncrasy
 
Posts: 2
Joined: Fri 29 Oct 2010 1:59 pm

Postby iBozz » Tue 09 Nov 2010 10:42 am

Apologies if this has actually been covered in this thread or elsewhere but, if it has, my beady little eyes have missed it.

I had a valid email from eBay this morning which clamXav identified as potential phishing. Accordingly, it quarantined the emlx file.

But, having decided that it was a valid email I want to return it to the email itself, the header for which still appears in my inbox but with, of course, the body of the email in my quarantine folder.

I'm running Mail v4.3 (1081) and clamXav v2.0.8 (236) under MacOSX.6.4 Build 10F569.

Thanks, and sorry if this rakes over old ground!
27" quad-core i7 iMac with 16GB RAM, MacOSX.9.2 Mavericks; G4 Tower and G4 eMac under OSX.4.11
iBozz
 
Posts: 26
Joined: Mon 05 Jul 2010 8:53 pm
Location: NW UK

Postby alvarnell » Tue 09 Nov 2010 11:02 am

iBozz wrote:...having decided that it was a valid email I want to return it to the email itself, the header for which still appears in my inbox but with, of course, the body of the email in my quarantine folder.
If I understand your question correctly, simply drag that file from the quarantine folder to

/Users/<yourusuername>/Library/Mail/Mac-<youruserID>/INBOX.imapmbox/Messages

assuming you have an IMAP mail account and you want it in your inbox. If these assumptions are wrong, you should be able to figure out which mbox to move it to.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OS X 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.5, 10.13.6 & 10.14.3/ClamXAV v3.0.9 (7713)/0.100.2_01
alvarnell
Site Admin
 
Posts: 5507
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Postby iBozz » Tue 16 Nov 2010 9:50 am

Thanks, alvarnell. Apologies for the delay in acknowledgement, but the notification had been identified as spam by my ISP and I've only just released it.

I use POP, but will try your method the next time it happens.
27" quad-core i7 iMac with 16GB RAM, MacOSX.9.2 Mavericks; G4 Tower and G4 eMac under OSX.4.11
iBozz
 
Posts: 26
Joined: Mon 05 Jul 2010 8:53 pm
Location: NW UK

Postby romad » Thu 23 Dec 2010 5:48 am

OK, ClamX reported that it had found "Email.Faketube" in a mailbox that contains about 600+ messages. Using the steps and sites in your example the hex is:

3:*:77616e747320746f207368617265206120766964656f207769746820796f75*746f756368696e672074616c65206f6620686f772074776f206c6f7665727320666f756e6420746865697220686561

ASCII conversion is:

??wants to share a video with you?F?V6???r?F??R??b???r?Gv????fW'2?f?V?B?F?V?"??V?

However doing a "Find" in TextEdit on the mailbox comes up empty. I tried just searching for the 7 words, but that also failed. Any suggestions?
romad
 
Posts: 2
Joined: Thu 23 Dec 2010 5:28 am

Postby alvarnell » Thu 23 Dec 2010 6:37 am

romad wrote:...doing a "Find" in TextEdit on the mailbox comes up empty. I tried just searching for the 7 words, but that also failed. Any suggestions?
You should be using your email client to do the content search of that mail folder, rather than TextEdit, although I would have thought that would have worked.
You need to be able to delete the file from the client anyway, so it makes things easier, as well.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OS X 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.5, 10.13.6 & 10.14.3/ClamXAV v3.0.9 (7713)/0.100.2_01
alvarnell
Site Admin
 
Posts: 5507
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Postby romad » Thu 23 Dec 2010 4:19 pm

alvarnell wrote:
romad wrote:...doing a "Find" in TextEdit on the mailbox comes up empty. I tried just searching for the 7 words, but that also failed. Any suggestions?
You should be using your email client to do the content search of that mail folder, rather than TextEdit, although I would have thought that would have worked.
You need to be able to delete the file from the client anyway, so it makes things easier, as well.


No Joy using search in the email client. Actually on 2 other "hits" I was able to find the offending text and just delete that text using TextEdit.

However, I finally found the answer: a poorly written rule set in ClamX

http://db.tidbits.com/article/10832

Interesting that this was identified over a year ago and ClamX has not updated their poorly written rule set. Anyway I deleted the offending text in TextEdit.
romad
 
Posts: 2
Joined: Thu 23 Dec 2010 5:28 am

Postby alvarnell » Thu 23 Dec 2010 7:59 pm

romad wrote:...on 2 other "hits" I was able to find the offending text and just delete that text using TextEdit.
As long as you don't try to delete the entire message, I suppose that will work. The problem comes when the mbox index doesn't match the number of messages in it that corruption occurs and you lose other emails.
However, I finally found the answer: a poorly written rule set in ClamX

http://db.tidbits.com/article/10832

Interesting that this was identified over a year ago and ClamX has not updated their poorly written rule set.
I couldn't find "Clam" mentioned in the article as being the problem, but it certainly could have been. All A/V software uses text strings as one of their signature writing methods, but it certainly could have been.

However, ClamXav is not responsible for any signatures since that's all done by the cross-platform clamav community. Since it's a Windows Trojan, it is very much a legitimate issue as far as clamav is concerned. I'll poke around on the clamav site to see if I find any evidence that it was reported to them. The issue would seem to be that the text string they are looking for is common to other video download situations that don't involve malware, thus producing a false positive alert. If the TidBITS folks didn't report this to clamav (or whatever they were using) as a false positive, then it's not surprising that nothing has been done about it.

I filed a bug report with them on a similar situation involving a PUA false alarm and they have never taken action on it. Admittedly PUA (Potentially Unwanted Applications) are far less serious than are Trojans.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OS X 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.5, 10.13.6 & 10.14.3/ClamXAV v3.0.9 (7713)/0.100.2_01
alvarnell
Site Admin
 
Posts: 5507
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Phishing

Postby PeteTheRef » Wed 13 Apr 2011 8:54 am

I get this message every time I access this page.

Infected File Quarantined
/Users/pete/.......etc
HTML.Phishing.Bank-252
PeteTheRef
 
Posts: 1
Joined: Wed 13 Apr 2011 7:36 am
Location: London

Re: Phishing

Postby alvarnell » Wed 13 Apr 2011 9:37 am

PeteTheRef wrote:I get this message every time I access this page.

Infected File Quarantined
/Users/pete/.......etc
HTML.Phishing.Bank-252
No surprise as it would appear that that signature is used in Mark's example which appears near the top of this page (I'm not sure why he refers to it as "246" which currently has a different string). ClamXav has quarantined the cache left behind by your browser which you can safely delete. You should get the same result by visiting any page in this forum that contains a signature.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OS X 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.5, 10.13.6 & 10.14.3/ClamXAV v3.0.9 (7713)/0.100.2_01
alvarnell
Site Admin
 
Posts: 5507
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

email virus in "recovered messages" folder

Postby CCPP » Wed 28 Sep 2011 5:35 pm

How do I get Clam to look into my "recovered messages" folder on my iMac? The folder is under "mail" then "on my mac". There is an email with attached photo that I never created that keeps regenerating itself into that folder. I discovered this when my hard drive was just about full and deleted the over 8,000 messages but they just keep re-populating in my recovered messages folder. I can't seem to get Clam to scan this folder. Any help would be greatly appreciated. Thanks!
CCPP
 
Posts: 2
Joined: Wed 28 Sep 2011 3:24 pm

PreviousNext

Return to ClamXav

Who is online

Users browsing this forum: No registered users