 |
 |
clamavx and email trojan
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2007
Status:
Offline
|
|
Hello:
I am helping a friend with an email issue. She uses Mail application regularly on her eMac. Lately she has been getting a huge amount of email replies to something that she definitely didn't send.
In an attempt to help i d'loaded ClamAVx and did a scan with the following results:
--------------------------------------------------
/Users/*username*/Library/Mail Downloads/WWW_99120.exe: Trojan.Zbot-1935 FOUND
******
The above file looks like it may be part of an email mailbox, please think carefully about what to do with this file. If it has been quarantined, you may end up losing some email. I suggest you leave this file where it is (or move it back if it's been quarantined) and delete suspicious messages from within your email client.
SCAN SUMMARY -----------
Known viruses: 572031
Engine version: 0.95.2
Scanned directories: 54599
Scanned files: 233750
Infected files: 36
Data scanned: 27407.49 MB
Data read: 99561.66 MB (ratio 0.28:1)
Time: 9709.100 sec (161 m 49 s)
ClamXav v1.1.1 - ClamAV 0.95.2/9450/Wed Jun 10 09:41:08 2009 - ClamXav
--------------------------------------------------
I have no idea how to proceed with this so any help would be most appreciated.
With thanks,
...jpp...
|
|
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
It's an attachment in one of her emails that contains a trojan exe. It's no problem on a Mac, but it would be on a Winblows computer. If you want you can delete the email that contains the attachment.
|
|
•
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2007
Status:
Offline
|
|
Thank you so much, Simon.
So that means we can delete the file in question (i.e. /Users/*username*/Library/Mail Downloads/WWW_99120.exe) without any fear she will lose email? Will she eventually stop receiving these errant emails?
Many thanks for your help!
...jpp...
|
|
|
| |
|
|
|
|
|
|
|
Administrator  Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Online
|
|
You can safely delete that .exe file. And you can ignore the "replies to something she didn't send." Sometimes spammers and the like use "harvested" or even invented addresses in their spam's "reply to" field to distract the recipient from the real nature of the message. This has happened to me with both my commonly used addresses and my relatively private ones.
|
|
Glenn -----
OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2007
Status:
Offline
|
|
Again, thank you so much, Simon AND ghporter. Both of us appreciate this help.
...jpp...
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
jpprice: if you want to cut down on spam messages, backscatter, or forged/spoofed emails, you are barking up the wrong tree in scanning for viruses on her computer. You won't find any that will work and affect her Mac.
Firstly, while the latter two are off-putting, you need not be concerned that she has done something or has something installed that is generating these. It is absolutely trivial to replace from headers in email messages. What cannot be easily forged is the envelope address which you can see by viewing the full headers of the message. When you do so, you'll most likely find that the messages are actually be generated by some non-English speaking country. If this is the case, you can rest assured that these messages are being generated there, and not on her eMac. This is totally out of your hands.
If you are getting non-local spam mail of various sorts, really your best bet is focusing on ways to filter this spam. There is absolutely nothing you can do to cut it off altogether for that account, not unless you operate the SMTP gateway, and even then this is tricky business.
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
I've had it a couple times where the originating ip address was directly traceable to the e-mail provider of a windows-using friend whom I knew to be acquainted with a couple of the people I got the returned email "back" from.
His computer had a virus that was sending infectious e-mails out to various people in his address book in the name of others in his address book.
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Spheric Harlot 
I've had it a couple times where the originating ip address was directly traceable to the e-mail provider of a windows-using friend whom I knew to be acquainted with a couple of the people I got the returned email "back" from.
His computer had a virus that was sending infectious e-mails out to various people in his address book in the name of others in his address book.
Some can piggyback on the SMTP server used within a particular email client and go through the address book as you've described, but AFAIK, the more common approach these days is to actually run your own rogue SMTP server locally that spits out emails at ridiculous, unfettered rates. Many of these are controlled by IRC bots. I don't know if addresses are still collected in address books, or just downloaded from the botnet. There are lots of different ways to collect email addresses.
This could be inaccurate, out of date, whatever, but I do know that there is more to it than the old school Outlook Express exploits, esp. since many people don't use Desktop email clients anymore.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2007
Status:
Offline
|
|
Once again, everyone, thanks so much for your help with this and warmest regards.
...jpp...
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
