Trojan in My Inbox
Jon Kinne
(trojan-spy.html.fraud.gen) which was detected by Kaspersky as being in
two Inbox files in my Thunderbird profile.
One suggestion was to entirely delete the contents of those two files
(which would wipe out a lot of my stored emails). I am reluctant to do
that.
If I watch while Kaspersky is scanning, I see that one of the instances
of the trojan is in "Inbox//[From WILL...se Bank Scam!!]/html" and the
second is in "Inbox//[From Com...Commerce Bank!]/html"
I would like to be able to find those two instances and remove them
rather than deleting my entire Inbox. But I don't see how to locate
them. Double clicking on "Inbox" asks which program to use, and
Thunderbird.exe doesn't seem to do it.
Would appreciate any help anyone might be able to offer.
Leonidas Jones
I'm shooting rather in the dark here, since I have never used Kaspersky.
I hope someone with more experience with it will chime in.
Mail in Thunderbird is in Mbox format, meaning that what appears to be a
folder in the TB UI is actually a file. That's why your AV app wants to
remove your whole Inbox. It cannot see the individual messages, only the
Inbox file.
Try opening Thunderbird. Find the offending files in your Inbox and
delete them. Then empty the trash and compact the folders.
Close TB and run your AV scan again. Does it still show the infection?
Lee
Sjouke Burry
into a temp mail dir, then delete the rest of them, and compact the inbox.
That will remove them.
Ron Hunter
Display all headers in your inbox. Search for 'bank'. Find the two
messages, and delete them, then compact your inbox, then delete the trash.
However, it is generally unwise to scan mbox files with virus scanners.
TB will NOT allow those virus/trojan files to run unless YOU
specifically choose to run them. They will do no harm sitting in your
inbox. It is rather like a hand grenade that can shit on a shelf in
your gun cabinet for 50 years. No harm, no danger, unless someone pulls
the pin.
--
Ron Hunter - rphu...@charter.net
Dave Symes
Ron Hunter <rphu...@charter.net> wrote:
[Snippy]
> They will do no harm sitting in your
> inbox. It is rather like a hand grenade that can shit on a shelf in
> your gun cabinet for 50 years. No harm, no danger, unless someone pulls
> the pin.
Sir, May I commend you on your slip of the finger in the above noted
paragraph, it actually made me 'larf' out loud, and that in itself is an
achievement.
I'll not point out the amusing slip, as it's much more fun finding it as
you read.
Thanks
Dave
--
Dave Triffid
John Doue
I am inclined to think the "slip" might have been intentional ...
--
John Doue
Ron Hunter
another message.
My apologies to any who may have been offended by the showing of my
slip. Sometimes my fingers have minds of their own. I have washed my
hands throughly since that post. Do you think that will help?
Ron Hunter
David E. Ross
It appears that bug #116443 is still alive and annoying.
Messages themselves do not carry viruses. Viruses are in the
attachments to messages. Thus, the real solution is that attachments
should not be stored with their messages. My E-mail client separates
them, which allows me to open the messages to find who is really sending
me viruses and to inform their ISP.
See <https://bugzilla.mozilla.org/show_bug.cgi?id=116443>.
--
David E. Ross
<http://www.rossde.com/>
Go to Mozdev at <http://www.mozdev.org/> for quick access to
extensions for Firefox, Thunderbird, SeaMonkey, and other
Mozilla-related applications. You can access Mozdev much
more quickly than you can Mozilla Add-Ons.
Jay Garcia
--- Original Message ---
> On 1/2/2010 10:10 PM, Jon Kinne wrote:
>> I am running Thunderbird 3.0 under Windows 7. I had discovered a trojan
>> (trojan-spy.html.fraud.gen) which was detected by Kaspersky as being in
>> two Inbox files in my Thunderbird profile.
>>
>> One suggestion was to entirely delete the contents of those two files
>> (which would wipe out a lot of my stored emails). I am reluctant to do
>> that.
>>
>> If I watch while Kaspersky is scanning, I see that one of the instances
>> of the trojan is in "Inbox//[From WILL...se Bank Scam!!]/html" and the
>> second is in "Inbox//[From Com...Commerce Bank!]/html"
>>
>> I would like to be able to find those two instances and remove them
>> rather than deleting my entire Inbox. But I don't see how to locate
>> them. Double clicking on "Inbox" asks which program to use, and
>> Thunderbird.exe doesn't seem to do it.
>>
>> Would appreciate any help anyone might be able to offer.
>
> It appears that bug #116443 is still alive and annoying.
>
> Messages themselves do not carry viruses. Viruses are in the
> attachments to messages. Thus, the real solution is that attachments
> should not be stored with their messages. My E-mail client separates
> them, which allows me to open the messages to find who is really sending
> me viruses and to inform their ISP.
>
> See<https://bugzilla.mozilla.org/show_bug.cgi?id=116443>.
>
I run with Kaspersky AV and it removes malicious attachments and also
the message body itself and presents no problems with the INBOX like
other AV's do.
I also have ClamAV on my server which auto-removes any harmful
attachments in it's DB, some slip by and KAV takes care of those.
--
Jay Garcia - Netscape/Flock Champion
www.ufaq.org
Netscape - Flock - Firefox - Thunderbird - Seamonkey Support
Nir
> On 1/2/2010 10:10 PM, Jon Kinne wrote:
>> I am running Thunderbird 3.0 under Windows 7. I had discovered a trojan
>> (trojan-spy.html.fraud.gen) which was detected by Kaspersky as being in
>> two Inbox files in my Thunderbird profile.
>>
>> One suggestion was to entirely delete the contents of those two files
>> (which would wipe out a lot of my stored emails). I am reluctant to do
>> that.
>>
>> If I watch while Kaspersky is scanning, I see that one of the instances
>> of the trojan is in "Inbox//[From WILL...se Bank Scam!!]/html" and the
>> second is in "Inbox//[From Com...Commerce Bank!]/html"
>>
>> I would like to be able to find those two instances and remove them
>> rather than deleting my entire Inbox. But I don't see how to locate
>> them. Double clicking on "Inbox" asks which program to use, and
>> Thunderbird.exe doesn't seem to do it.
>>
>> Would appreciate any help anyone might be able to offer.
>
> It appears that bug #116443 is still alive and annoying.
>
> Messages themselves do not carry viruses. Viruses are in the
> attachments to messages. Thus, the real solution is that attachments
> should not be stored with their messages. My E-mail client separates
> them, which allows me to open the messages to find who is really sending
> me viruses and to inform their ISP.
>
> See <https://bugzilla.mozilla.org/show_bug.cgi?id=116443>.
>
If you enable 'Allow Antivirus clients to quarantine individual incoming
messages' (Tools > options > Security > Antivirus ) and if your
antivirus software can scan message on arrival then you don't have to
bother much about how Tb will handle attachments.
<http://kb.mozillazine.org/Download_each_e-mail_to_a_separate_file_before_adding_to_Inbox>
Jay Garcia
--- Original Message ---
KAV does just that without having to enable it in TB. But KAV will
change the subject to something like "malicious content deleted" for
just one example. False postives are not an issue.
Ron Hunter
> On 1/2/2010 10:10 PM, Jon Kinne wrote:
>> I am running Thunderbird 3.0 under Windows 7. I had discovered a trojan
>> (trojan-spy.html.fraud.gen) which was detected by Kaspersky as being in
>> two Inbox files in my Thunderbird profile.
>>
>> One suggestion was to entirely delete the contents of those two files
>> (which would wipe out a lot of my stored emails). I am reluctant to do
>> that.
>>
>> If I watch while Kaspersky is scanning, I see that one of the instances
>> of the trojan is in "Inbox//[From WILL...se Bank Scam!!]/html" and the
>> second is in "Inbox//[From Com...Commerce Bank!]/html"
>>
>> I would like to be able to find those two instances and remove them
>> rather than deleting my entire Inbox. But I don't see how to locate
>> them. Double clicking on "Inbox" asks which program to use, and
>> Thunderbird.exe doesn't seem to do it.
>>
>> Would appreciate any help anyone might be able to offer.
>
> It appears that bug #116443 is still alive and annoying.
>
> Messages themselves do not carry viruses. Viruses are in the
> attachments to messages. Thus, the real solution is that attachments
> should not be stored with their messages. My E-mail client separates
> them, which allows me to open the messages to find who is really sending
> me viruses and to inform their ISP.
>
> See<https://bugzilla.mozilla.org/show_bug.cgi?id=116443>.
>
with TB. It will NOT execute an attachment without YOUR ACTION. There
is really no need to do anything about such an attachment. Deleting the
message, and compacting the inbox will serve the purpose just fine.
Scanning the TB inbox Mbox file is a waste of time.
Ron Hunter
have set for your email client. The one I previously used did as well.
Not at all sure what Windows 7's firewall does, or does not, check.
Jay Garcia
--- Original Message ---
No, it is not a waste of time for a good AV application to take care of
it in the background.
David E. Ross
How will you know that you should indeed delete the message without
opening the attachment if you haven't scanned the inbox?
David E. Ross
Think of the following situation:
A very new virus is received in an attachment that you don't open right
away. The virus is so new that the vendor of your anti-virus
application is still updating its virus database.
When the virus database is updated, you download the update into your
anti-virus application. As part of updating the application, you then
do a system-wide scan.
The scan finds the malicious attachment. Oops! It's too late for
"Allow Antivirus clients to quarantine individual incoming messages".
Alternatively, after updating the application, you go to open the
message and its malicious attachment. Oops! It's again too late.
This is an important reason why I use Thunderbird as a news reader but
not for E-mail.
Nir
>> If you enable 'Allow Antivirus clients to quarantine individual incoming
>> > messages' (Tools > options > Security > Antivirus ) and if your
>> > antivirus software can scan message on arrival then you don't have to
>> > bother much about how Tb will handle attachments.
>> >
>> > <http://kb.mozillazine.org/Antivirus_software#Keeping_your_antivirus_software_from_deleting_your_Inbox>
>> >
>> > <http://kb.mozillazine.org/Download_each_e-mail_to_a_separate_file_before_adding_to_Inbox>
>> >
> Think of the following situation:
>
> A very new virus is received in an attachment that you don't open right
> away. The virus is so new that the vendor of your anti-virus
> application is still updating its virus database.
>
> When the virus database is updated, you download the update into your
> anti-virus application. As part of updating the application, you then
> do a system-wide scan.
>
> The scan finds the malicious attachment. Oops! It's too late for
> "Allow Antivirus clients to quarantine individual incoming messages".
>
> Alternatively, after updating the application, you go to open the
> message and its malicious attachment. Oops! It's again too late.
>
> This is an important reason why I use Thunderbird as a news reader but
> not for E-mail.
Right, that scenario is really valid, I should have thought of it
beforehand.
Ron Hunter
have an AV program that scans incoming data from the email port. The
data can't get to the Mbox file. If it DOES get there, and you know not
to execute it, then it will do no harm, so repeatedly scanning the Mbox
Ron Hunter
inbox. Second, YOU should know not to execute a file that can run on
your computer unless you KNOW what it is.
The safe hex approach to executable files sent via email, is delete them!
Ron Hunter
In TB, opening a MESSAGE does NOT execute an attachment. Try this; Send
yourself an email with a .exe file in it, and the try to execute the
attachment.
> This is an important reason why I use Thunderbird as a news reader but
> not for E-mail.
>
Again, TB will NOT execute an attachment! Period. A virus, or trojan
that resides within a file in your inbox Mbox file does NO HARM. If you
are so dumb as to execute the file, then it is not something that TB or
any other email program can help you with.
Simple rule. Don't execute any executable file sent to you via email,
unless YOU requested it from someone you know, and you trust, and even
then, if you have an AV program, it will flag a malicious file.
I don't use an AV program, and haven't for the past 5 or 6 years, at
least. I have never gotten a virus on any PC computer I have owned
since 1995. But then, I am a suspicious old fart, and don't trust
anything that comes over the internet....
Ron Hunter
The fallacy there is that you should NEVER assume a file is harmless
just because your AV program DIDN'T flag it!
Sometimes, just having the AV program tends to make people MORE prone to
getting a virus.
Andrew Price
<nob...@nowhere.invalid> wrote:
[---]
>Alternatively, after updating the application, you go to open the
>message and its malicious attachment. Oops! It's again too late.
>
>This is an important reason why I use Thunderbird as a news reader but
>not for E-mail.
What do you use for email? Eudora, which I used to use, automatically
detached all incoming attachments into a specific, user-specified
directory, where they could do no harm, awaiting an AV scan. No user
intervention was required, and the email (mbx) files themselves could
never become infected.
Unfortunately, Eudora is no longer developed by Qualcomm, and as it
cannot handle UTF-8 encoding, I reluctantly switched to Thunderbird.
But I'd very much like to have that feature in a modern email client.
Beauregard T. Shagnasty
> This is an important reason why I use Thunderbird as a news reader but
> not for E-mail.
Heh. :-) I find that statement amusing, as it is the exact opposite of
what I do. I find Thunderbird to be an excellent email application, and
a poor newsreader.
What /do/ you use for email?
--
-bts
-Four wheels carry the body; two wheels move the soul
Jay Garcia
--- Original Message ---
Sometimes scanning the inbox with your own gray-matter-built-in scanner
is more effective. If you don't have an account with Chase Bank and
there is an attachment that your AV doesn't pick up ... then what?
Jay Garcia
--- Original Message ---
Hmmm, you open and RUN attachments if you don't know the recipient or
recognize or expect the attachment???
Ron Hunter
While I can see why you would like to have the attachments apart from
the text message, I consider the way TB does it vastly superior. First,
the message is NOT in binary form as TB saves it, so it CAN'T run.
Second, TB WON'T run it. Third, a malicious file that can't be run is
no threat. If TB wrote the file into a binary file, and saved it (which
it will do IS you tell it to), then it could be run, which would be
dangerous. Saved as an encoded text file, it is quite safe.
Jay Garcia
--- Original Message ---
No, it is NOT valid from a reasonable standpoint. What did we do in
Navigator or Communicator before the age of the AV application(s). We
didn't OPEN or RUN suspect attachments or even email for that matter.
Human "reason" is much more effective than ANY AV on the planet.
Jay Garcia
--- Original Message ---
I have my TB configured to NOT download messages over 50k. Most, if not
all attachments are well over 50k. Incoming over 50k will truncate the
message after which you must "download the rest of the message". It is
TOTALLY YOUR FAULT if you get infected by OPENING and RUNNING a
malicious attachment.
Ron Hunter
Amazing how many emails they must blast across the internet.
The best AV 'program' is the one that runs in the wetware between your ears.
Gord McFee
I think it is absolutely hilarious, and gave me a well-needed laugh.
--
Best regards
Gord McFee
Jay Garcia
--- Original Message ---
Its like the Nigerian 419 scammer once told 60 minutes, "All I need is a
half dozen takers out of the million+ emails". Sad thing is, they get
more than that 1/2 dozen takers.
David E. Ross
A number of responses failed to understand what I was trying to say.
Perhaps, I was not clear.
Prior to the "alternative", the problem I described was NOT about
opening a malicious attachment. It was about my anti-virus application
attempting to quarantine my entire inbox after the vendor of that
application was able to update the virus database.
While my "alternative" does mention opening an infected message and its
attachment, I DO NOT DO THAT. But others do that. Their anti-virus
application -- having been updated -- detects the malicious attachment
that was not detected when the attachment was downloaded. Again, the
anti-virus application attempts to quarantine the entire inbox.
The issue is that embedding attachments within the inbox can indeed lead
to a loss of the inbox. The inbox is a single large file that includes
both messages and attachments. If the inbox file contains an attachment
with a virus, an anti-virus application is performing as expected if it
indeed quarantines that entire file during a system scan or when the
file is opened. For some (most? all?) anti-virus applications, that
will happen when the file is opened for a completely different E-mail
message; it doesn't have to be the specific infected message.
David E. Ross
Can you guarantee that your anti-virus application always has data on
the very latest virus? Hours (in some cases days) may elapse between
the start of virus propagation and the update of virus databases.
During that development period, scanning incoming data will not detect
the new virus. It is this delay between propagation and detection that
creates a problem for embedding attachments into the inbox file.
Jay Garcia
--- Original Message ---
If your inbox is being quarantined even if there is no malicious
attachment present then it's a problem with the application. Kaspersky
does not quarantine the inbox but rather the message itself, the inbox
remains viable and intact.
David E. Ross
Kaspersky is able to extract a specific message and its attachment from
the inbox file? Does it then compress the inbox?
In other words, it extracts a viral fragment from an infected file
without perturbing the rest of the file. Is it able to do this with
other, non-E-mail files?
David E. Ross
The problem would be resolved if bug #9309 (now more than 10 years old)
were implemented. See
<https://bugzilla.mozilla.org/show_bug.cgi?id=9309>.
Jay Garcia
--- Original Message ---
No, KAV removes the malicious content and changes the subject to let you
know what it did. There is no quarantine of the inbox.
> In other words, it extracts a viral fragment from an infected file
> without perturbing the rest of the file. Is it able to do this with
> other, non-E-mail files?
Yes, it does not disturb the rest of the file.
What is an "other non-email file? If you mean an ftp download, yes, you
get either a warning or an auto-removal that is user configurable.
Ron Hunter
program. It will cause more trouble than the virus sitting there in
undecoded form could EVER cause.
Jay Garcia
--- Original Message ---
Not so, KAV scans, finds, neutralizes and then lets the message through
with a changed subject to let you know what happened. There is no
quarantining of the inbox. YMMV
Ken Whiton
*-* In Article <Sb6dnbN_7_q5ldzW...@mozilla.org>,
*-* Jay Garcia wrote
*-* About Re: Trojan in My Inbox
> On 03.01.2010 12:05, David E. Ross wrote:
[ ... ]
>> Think of the following situation:
>>
>> A very new virus is received in an attachment that you don't open
>> right away. The virus is so new that the vendor of your anti-virus
>> application is still updating its virus database.
>>
>> When the virus database is updated, you download the update into
>> your anti-virus application. As part of updating the application,
>> you then do a system-wide scan.
>>
>> The scan finds the malicious attachment. Oops! It's too late for
>> "Allow Antivirus clients to quarantine individual incoming
>> messages".
>>
>> Alternatively, after updating the application, you go to open the
>> message and its malicious attachment. Oops! It's again too late.
>>
>> This is an important reason why I use Thunderbird as a news reader
>> but not for E-mail.
>
> Hmmm, you open and RUN attachments if you don't know the recipient
> or recognize or expect the attachment???
He *is* the recipient. ;-) I think you meant sender.
Ken Whiton
--
FIDO: 1:132/152
InterNet: kenw...@surfglobal.net.INVAL (remove the obvious to reply)
Jerry McAllister
> On 1/2/2010 10:10 PM, Jon Kinne wrote:
> > I am running Thunderbird 3.0 under Windows 7. I had discovered a trojan
> > (trojan-spy.html.fraud.gen) which was detected by Kaspersky as being in
> > two Inbox files in my Thunderbird profile.
> >
> > One suggestion was to entirely delete the contents of those two files
> > (which would wipe out a lot of my stored emails). I am reluctant to do
> > that.
> >
> > If I watch while Kaspersky is scanning, I see that one of the instances
> > of the trojan is in "Inbox//[From WILL...se Bank Scam!!]/html" and the
> > second is in "Inbox//[From Com...Commerce Bank!]/html"
> >
> > I would like to be able to find those two instances and remove them
> > rather than deleting my entire Inbox. But I don't see how to locate
> > them. Double clicking on "Inbox" asks which program to use, and
> > Thunderbird.exe doesn't seem to do it.
> >
> > Would appreciate any help anyone might be able to offer.
>
> It appears that bug #116443 is still alive and annoying.
>
> Messages themselves do not carry viruses. Viruses are in the
> attachments to messages.
While your statement here is almost always true, it is not an
absolute. It is unlikely, but possible that the message carry
a virus (or some sort of attack). I think it is much more
difficult to create an effective attack that would work from
a message body.
But, as you say, the big problem is with attachments.
////jerry
> Thus, the real solution is that attachments
> should not be stored with their messages. My E-mail client separates
> them, which allows me to open the messages to find who is really sending
> me viruses and to inform their ISP.
>
> See <https://bugzilla.mozilla.org/show_bug.cgi?id=116443>.
>
> --
> David E. Ross
> <http://www.rossde.com/>
>
> Go to Mozdev at <http://www.mozdev.org/> for quick access to
> extensions for Firefox, Thunderbird, SeaMonkey, and other
> Mozilla-related applications. You can access Mozdev much
> more quickly than you can Mozilla Add-Ons.
> _______________________________________________
> support-thunderbird mailing list
> support-t...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-thunderbird
> To unsubscribe, send an email to support-thund...@lists.mozilla.org?subject=unsubscribe
Ron Hunter
While I wouldn't want to say it was impossible, because I can think of a
potential method (which I am NOT going to discuss), it seems not to be
something to waste a lot of energy worrying about, at least not until
someone has DONE it.
Nir
>> Kaspersky is able to extract a specific message and its attachment from
>> the inbox file? Does it then compress the inbox?
>
> No, KAV removes the malicious content and changes the subject to let you
> know what it did. There is no quarantine of the inbox.
>
>> In other words, it extracts a viral fragment from an infected file
>> without perturbing the rest of the file. Is it able to do this with
>> other, non-E-mail files?
>
> Yes, it does not disturb the rest of the file.
Then it's probably because KAV has the ability to understand mbox format.
Btw, Jay, are you sure that it doesn't modify mail content (removes
infected attachment and updates subject) during message download (before
adding it to Inbox file)?
Jay Garcia
--- Original Message ---
There are many options for KAV as regards how it treats incoming mail.
There is a separate configuration to handle attachemts, either
enable/disable. If enabled you have the option to have KAV rename any
attachment suffixes from a user selectable list, such as .exe to
something else that cannot be executed or doc to something else so that
it won't open in Word or ZIP, etc. If enabled then you get a message in
your received email that an attachment was renamed as per your
specification(s).
If disabled then it's up to YOU the recipient to handle it manually.
Again, you MUST not only download an attachment, you must ALSO run it.
It's YOUR fault if you get infected, you have two chances - download
then run.
David E. Ross
>
> There are many options for KAV as regards how it treats incoming mail.
How about the way it treats mail that already came in and has been
sitting in the inbox for a while?
I've downloaded a message but not opened yet. I don't know it, but the
message includes an attachment with a virus. It's a very, very new
virus. KAV's update is downloaded and installed two hours later. KAV
then does a total scan of my entire hard drive.
In this situation, can KAV remedy the virus without perturbing the rest
of my inbox? Remember, I still haven't tried to open the message; so
I'm not at risk of being infected. Am I at risk of corrupting or
entirely losing my inbox when KAV does the total scan of my hard drive?
Christoph Schmees
Don't feel too secure with you 50K limit!
I once received a mail w/ attachment and I had the feeling the attachment
could be malicious. My antivirus guard didn't rise an alert. I saved the
attachment and let it be scanned explicitly. No alert. I made an update of
the antivirus (before my update status war three hours old) an scanned
again: Malicious software identified.
Now the bit for you: This particular piece of malware was 3.7 KByte in
size! - Your turn.
Beauregard T. Shagnasty
> Now the bit for you: This particular piece of malware was 3.7 KByte in
> size! - Your turn.
Do you still have the file? Send it to http://www.virustotal.com/
and/or http://virusscan.jotti.org/en to see what it is.
Jay Garcia
--- Original Message ---
If one under 50k gets in then I shift into manual defense mode and
remove the attachment without saving and/or running it. ;-)
Jay Garcia
--- Original Message ---
> On 1/4/2010 4:40 PM, Jay Garcia wrote [in part]:
>>
>> There are many options for KAV as regards how it treats incoming mail.
>
> How about the way it treats mail that already came in and has been
> sitting in the inbox for a while?
If mail is sitting in the inbox that is/may be malicious then it's been
there before KAV was installed and configured.
> I've downloaded a message but not opened yet. I don't know it, but the
> message includes an attachment with a virus. It's a very, very new
> virus. KAV's update is downloaded and installed two hours later. KAV
> then does a total scan of my entire hard drive.
If that is the case then shift into manual defense mode and remove the
attachment w/o saving/running it. Simple as that. If YOU get infected
then it's YOUR fault.
> In this situation, can KAV remedy the virus without perturbing the rest
> of my inbox? Remember, I still haven't tried to open the message; so
> I'm not at risk of being infected. Am I at risk of corrupting or
> entirely losing my inbox when KAV does the total scan of my hard drive?
>
Again, KAV does not affect the rest of your inbox, only what it
determines to be malicious.
Jay Garcia
--- Original Message ---
> Christoph Schmees wrote:
>
>> Now the bit for you: This particular piece of malware was 3.7 KByte in
>> size! - Your turn.
>
> Do you still have the file? Send it to http://www.virustotal.com/
> and/or http://virusscan.jotti.org/en to see what it is.
>
First, save it and do a manual scan on THAT file alone. If the virus is
in the AV database of your application it will be caught and neutralized.
Christoph Schmees
> Christoph Schmees wrote:
>
>> Now the bit for you: This particular piece of malware was 3.7 KByte in
>> size! - Your turn.
>
> Do you still have the file? Send it to http://www.virustotal.com/
> and/or http://virusscan.jotti.org/en to see what it is.
>
unfortunately not. That is some years ago and I don't normally keep such
files. Perhaps I should have done ...
sean bean
> I am running Thunderbird 3.0 under Windows 7. I had discovered a trojan
> (trojan-spy.html.fraud.gen) which was detected by Kaspersky as being in
> two Inbox files in my Thunderbird profile.
>
> One suggestion was to entirely delete the contents of those two files
> (which would wipe out a lot of my stored emails). I am reluctant to do
> that.
>
> If I watch while Kaspersky is scanning, I see that one of the instances
> of the trojan is in "Inbox//[From WILL...se Bank Scam!!]/html" and the
> second is in "Inbox//[From Com...Commerce Bank!]/html"
>
> I would like to be able to find those two instances and remove them
> rather than deleting my entire Inbox. But I don't see how to locate
> them. Double clicking on "Inbox" asks which program to use, and
> Thunderbird.exe doesn't seem to do it.
>
> Would appreciate any help anyone might be able to offer.
in thunderbird, got to tools, options, security, anti virus and make
sure the "allow anti virus to quarantine individual incoming messages is
be checked...
it may not help in this instance... but will in all others...
sean
--
Like a lot of husbands throughout history, Mr. Webster would sit down
and try to talk to his wife. As soon as he'd say something though, she'd
fire back with, "And just what the hell is THAT supposed to mean?" Thus,
Webster's Dictionary was born.
** taglines almost, sorta, kinda brought to you by tagzilla 0.066
it definitely needs up dating @ http://tagzilla.mozdev.org
clay
> On 04.01.2010 22:08, David E. Ross wrote:
>
> --- Original Message ---
>
>> On 1/4/2010 4:40 PM, Jay Garcia wrote [in part]:
>>>
>>> There are many options for KAV as regards how it treats incoming mail.
>>
>> How about the way it treats mail that already came in and has been
>> sitting in the inbox for a while?
>
> If mail is sitting in the inbox that is/may be malicious then it's been
> there before KAV was installed and configured.
But, what about the "early adopters" who insist upon receiving
viri/trojan/worms that are so new, AV haven't released detection updates
against them yet? Heuristics will catch some of them, but...
imo, let the AV have the rest of the machine, I'll monitor my inbox(es)
myself.
Common sense=the best AV.
(There's no AV protection against ignorance/stupididity.)
Ron Hunter
I agree. The best AV 'program' is the one that runs in the 'wetware'
between your ears.