Kaspersky - email trojan

A friend is using KIS 2010. This AM he called me and said that he had received a couple of calls that his email was sending a virus. He ran a scan with KIS, which revealed a trojan. I have no idea of the name of it, but it was from China. I checked my email, and had the message from him, but there was no malware in it. I have scanned with Avast Pro, MBAM, and SAS. All show clean.

First, I am disappointed that KIS did not catch the trojan, especially since I gave it to him.
Second, I don't understand how I got the message with no trojan in it. My Avast scans all incoming and outgoing mail. I would have thought that if there was a trojan in the mail it would have alerted instead of the email appearing as normal.

I use Windows Live Mail, W7 64 bit, and the applications shown by my signature.
Thanks.

Regards,
Jerry

 

Hi Jerry,

Anything I say here is speculation because we do not have access to the details.

He may have been the victim of a phishing attack instead of a virus attack, and the phished account was then used to send out spam with malware attached.

Also how exactly do you know he was sending out viruses- what was the content of the email, and what prompted other people to tell him he was sending out viruses?

What exactly did the scan detect on his computer and how do you know it originated from China?

 

Hi Baz,
His son and a friend both called him to report that they had received a virus from email sent from his computer. I don't know the content of the email, even though I got it. I did not read it. The mail had something to do with IPOD or IPAD.

The scan by KIS detected a trojan program, link infected and deleted.

He has a friend who is savy in this stuff that got it, and he did some research and said it was from China. That's all I know about it.
Thanks for the reply.

Regards,
Jerry

 

Hi Jerry,

A scan wouldn't detect a website URL. That was a script correctly identified by Web Antivirus (on-the-fly, when he tried to visit it) that was present in the source code and redirecting to malware.

I would definitely advise him to change his email account passwords and seek help at a malware removal forum or Kaspersky technical support to double check he isn't infected, but to me this sounds more like a phishing attack to steal his credentials and then spam his contact list as opposed to a resident malware infection. If it didn't have an attachment then most likely it was just plain old spam.

P.s. The link you posted is infected, please disable it

 

Deleted, and thanks.
Jerry

 

I am sure that the email sent from my friend's computer did not arrive on his computer as email.
His son became suspicious when he opened the email, noticed the poor English, and knew his dad did not send/forward it. Evidently the message was originated by the trojan and sent as a forwarded message.

I am not sure which browser he was using at the time, IE8 or FF. Could the infection have been a result of allowing scripts?

I'm at a loss as to how he was infected, and am wondering if he should go to another AV? It would seem to me that when the trojan took control of his email then KIS should have caught it. However, KIS 2010 has shown to be one of the top tier applications so I don't know what would have done any better.

Regards,
Jerry

 

What it comes down to Jerry (assuming it was indeed a Trojan causing all the problems) is that no antivirus program is going to catch 100 percent of infections, not with the sheer number of new malware day after day after day.

It sounds like Kaspersky may have let one through, but it happens. I wouldn't be so quick to have him drop Kaspersky, but that's simply my opinion and to be fair I'm far from an expert.

 

Hi Colt,
I agree with your assessment. I wish I could determine how the trojan got on his computer as he and his wife are very safe users. They delete any mail that originates from other than folks they know.

I know that rogues disguise their names to be so much like legit applications that it is easy to overlook the difference and so get infected. I am not sure if trojans do the same.

I think it is a lost cause to determine how he got infected.

Regards,
Jerry

 

An examination of the friends KIS settings may be in order.

 

I set it up when I installed it for him. Is there something specific to check?
Regards,
Jerry

 

Don't know Jerry because I've never used it. But there are lots of kaspersky users here to go over settings with you.

 

The URL was sent to VT by a member of Avast Forums. Here are the results.
~Virus Total results removed per Policy~

It is interesting that of 41 scanners only 10 caught it. I am not sure what to make of the fact that some highly touted applications did not detect it if I read it correctly.
Prevx and Comodo did not catch it, but maybe they are not designed to do so.

Regards,
Jerry

 

Sorry about the VT results post. I forgot I couldn't post it.
Regards,
Jerry

 

I would suggest adding Prevx on your friend's machine. Contrary to what VT might suggest, Prevx would most likely have caught the infection. Prevx's static scan (the one used by VT) is quite weak, but its on execution scan is strong.

 

How can they be sure this mail is sent from his computer?
A very common scenario goes like this:
A computer in his 'circle' has a virus. This virus is sending out mails to everybody in the adress book spoofing the email adres by using one found in the adress book (in this case your friend's email adress).
So... is this mail really comming from his computer? Look at the mail header.

 

It was in his sent folder, and found on his computer when scanned. Other than that I don't know. The messages have been deleted so we don't have anything to examine.

Probably 10 years ago I received an email from myself that I did not send. Nothing harmful, but somehow someone got my address. No one else ever informed me that they got it from me. It hasn't happened since.
Thanks.

Regards,
Jerry

 

Thanks. The less stuff he has on his machine the happier he is. I think this was just one and an isolated instance.

Regards,
Jerry

 

Perhaps just making his browser automatically start in KIS sandbox would help. Sandbox is a simple but effective method of protection.

 

I understand him.

 

Yes, but this complicates his surfing some. For instance if he downloads something he would not be able to find it. When I first used it I could not find what I downloaded. I realize that one can overcome that, but he does not intend to have to work too hard to use his computer.

Thanks,
Jerry

 

Then I suggest you make an image of his system so that you can restore it in case something happens.

You could at least add WOT and set it to automatically block, this would not require any intervention from his part.

But you know if he does not want to surf safe, he will undoubtedly get infected whatever security you install for him.

 

I have absolutely no idea how to make such an image, and do not have one for mine.
He is a very safe surfer, and this is just one case of anyone can get infected. It is not always the user's fault, and most of us are not savvy but don't get infected. I have been using computers for about 12 years, know little about the technical aspects, but have never been infected.

I have a couple of friends who are safe, do not visit risky sites, do not open mail from anyone they do not know, and don't even stay on the web much. Yet they got an infection. As I read comments on these forums it is a general consensus that the only safe system is one turned off.

I do appreciate the comments even though I am not savvy enough to follow the recommendations. Thanks.

Regards,
Jerry

 

I'm also not an expert, I just wanted to find an easy way to keep your friend's PC safe. Anyway perhaps others will suggest something simpler.

Good luck and be safe.

PS: We cannot eliminate computer risks but we can take steps to minimise them.

 

Hi Smage,
I do appreciate your responses. I need all the help I can get. Sometimes the suggestions are too technical for me, and particularly that particular friend.

I think we have done what we can, and what he finds acceptable. Again, Thanks.

Regards,
Jerry

 

JerryM I had a similar experience about a month ago. Girlfriends cousin (who I don't talk to) sent me an email with an obvious virus, it was to a rapidshare link. So I put er in the sandbox and scan with SUPER, MBAM, Kaspersky, and A-Squared. Everything came up clean! Uploaded to Virustotal and only 3 detected it.

Had to send that one to all my malware scanners and they've all added it now. But last time I uploaded it to VT it was still only like 7 scanners detected it.

I really don't think its an indication of Kaspersky getting worse, just due to the sheer fact 3/40 shows a definite problem in new malware. Hoping KIS 2011 shows some improvements though.