Malware not deleted

I get mails from “The fifth third bank” and variants. It contains a trojan called “HTML/Phishing.gen trojan”.
I consider two settings of NOD32:
1. In my set up I ask for alerts and prompts. When the mail comes in, an alert appears, but the “delete-button” doesn’t work. The mail remains in my inbox and I have to delete manually.
2. In my set up I strictly follow Blackspear’s instructions. When the mail comes in I get no warning and the mail is not deleted. It is just that I remember from earlier experience with this sender that the mail contains malware and I also can see that it is quarantined. But it is not deleted. This means that if I didn’t remember this sender, I would not have had an indication that it contained malware. It cannot be expected that one is going to check quarantine every time that mail comes in in order to see if it eventually contains malware but is not deleted.
Under option 1 I get a warning at least. Under option 2 this infected mail may slip through.
Under option 1 the threat log says under action: “contained infected files”.
Under option 2 it says under action: “quarantined - contained infected files”.
Am I doing something wrong? Any advice?
Thanks.

 

Could you give more details? Web-based mail? Or do you use a mail client, if so, which one?

 

Just ordinary mail (not web based). I use Mozilla Thunderbird (version 1.0.6). Got this message four or five times during the last two weeks. In depth-analysis and on line scan doesn't show malware (I guess the quarantined files are made harmless; anyway I scanned the ESET map in particular and found nothing).
In an earlier experiment I copied the infected file (right click on the mail and 'save as') to my experiments-partition and scanned the copy. No alert. However I don't like to experiment with infected messages. The message is quarantined in three separate parts under the same name.

 

The beast came in again. IMON is the module that reports the virus threat. Had my scan setting on “prompt for an action” this time. Delete button didn’t work again. Saved the file in a ‘virus map’ in my experiments partition. Scanned it. No threats found.
My questions remain: why the alert? why does the delete button not work? and why do I find no threat in the saved file (I didn't clean)?
Any tech interested in the mail message that causes this? It’s available.
Feel somewhat uncomfortable with things I do not understand. If I’m doing stupid things, please tell me.
It is pretty silent out there.

 

Sent the malware to 'samples@eset.com'. Stupid indeed that I didn't notice ronjors sticky. Nevertheless I hope that someone can comment on the fact that I can't delete.

 

Email like this should not be considered a phising. There are just a couple of words and an image attached. It does not direct you to any website.

X-Account-Key: account1
Received: from hpsmtp-eml03.kpnxchange.com ([10.94.77.137]) by CPEXBE-EML02.kpnsp.local with Microsoft SMTPSVC(6.0.3790.211);
Sun, 27 Aug 2006 00:08:48 +0200
Received: from pool-72-77-107-254.pitbpa.east.verizon.net ([72.77.107.254]) by hpsmtp-eml03.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.211);
Sun, 27 Aug 2006 00:08:46 +0200
From: "FIFTH THIRD bank" <online_support_id_3328015.cust@53.com>
To: <[removed]>
Subject: **SPAM** **SPAM USA 72.77.107.254** [virus HTML/Phishing.gen trojan] Fifth Third Bank: Urgent Security Notice For Client [Sat, 26 Aug 2006 22:08:48 +0300]
Date: Sat, 26 Aug 2006 22:08:48 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_006A_01C6C93A.AD5CBCE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Return-Path: dacia@01-stay-in-paris-hotels.com
Message-ID: <HPSMTP-EML03MLHclKb0006bac6@hpsmtp-eml03.kpnxchange.com>
X-OriginalArrivalTime: 26 Aug 2006 22:08:47.0039 (UTC) FILETIME=[33D4B4F0:01C6C95C]
X-NOD32Result: Infected, HTML/Phishing.gen trojan
X-SpamPal: SPAM USA 72.77.107.254


This is a multi-part message in MIME format.

------=_NextPart_000_006A_01C6C93A.AD5CBCE0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_006B_01C6C93A.AD5CBCE0"


------=_NextPart_001_006B_01C6C93A.AD5CBCE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

spar clod, wady bud box, nose hock worn oxenply yak grin shapup yard=20
jamneck muss flag endbeet jamb shopchop pale hale curl chum vallydoat=20
Adamwere sadpainlark harpbeat leftlit caul ion fan pore nip Hun hock=20
zoonprim ami lobe AIDSwedinn lev loan bit Pole clickbedonly dolt theyelf=20
goldpaxneed typeclap move swimelf bias job chut swayrob bask fief deer=20
blub pert palm type wavelama sty care fee quartwiry dough boor torn has=20
tan Thai meek knaphind youth pane jest tyre zealmush wary gowk snip=20
self grog hoop rill crabwhy limb tomb bend mop lake cow brag riot gumgig=20
pan, pal pram Bath, lousy rage edge incoke ray flop aura due musttyre=20
win wit nabgig well plotboor lyre gong he`s wary venaeven tarnoily=20
litprywing dillad mimedriv crab lest zone do not it long wept lispyowl=20
does lag pitcaynix Zen vox wry rude duffdroppal ace mashrat jampopreck=20
sirekid lash flapbade gold duel sole gashvile ewe barn thou how it`s=20
bosh pleb gooduva hewn navy be lagwhig into mite lousy cue what is junk=20
punt issoap volt flaw that dope safecalk driv wave mis- thin brow lap=20
hope throlick vice bled by lamp boo jug saw thin thinsilt lawn, net aim=20
mug, keg hack must stowtar keg test duet ague pushub boll ket comacurl=20
tomb wagpoll fit noon gong loom axessnug chitgear cabbagcameAxis orcoy=20
doitado urn poor doll tell us sink gale dudsip just self corneachwoof=20
feat guy boss nick dewyellsnafu our dregfull fasttipscow pray!! glitz=20
shoocrab flux lute hog zanydial old acre boll swam aged par butt=20
poolshoo soil fame dung tackwise pray peon lull yaud bee sip wet=20
voltslum prod abut bud till soilwadi door bat spar imp mega wark sate=20
peltperi lame shin punt tipoff mess loon valu Tom rift

__________ NOD32 1.1727 (20060826) Warning __________

Warning: NOD32 antivirus system found the following in the message:
part001.htm - HTML/Phishing.gen trojan - quarantined - deleted

http://www.eset.com


------=_NextPart_001_006B_01C6C93A.AD5CBCE0
Content-Type: text/plain
X-Removed: Removed by NOD32 Antivirus System



------=_NextPart_001_006B_01C6C93A.AD5CBCE0--


------=_NextPart_000_006A_01C6C93A.AD5CBCE0
Content-Type: image/png;
name="XK3LBLIE.PNG"
Content-Transfer-Encoding: base64
Content-ID: <006901c6c95c$346e5ce0$6c822ecf@JM5EV0>

iVBORw0KGgoAAAANSUhEUgAAAtMAAAHACAMAAABXgBSrAAAABGdBTUEAALGPC/
[removed to save space]
------=_NextPart_000_006A_01C6C93A.AD5CBCE0--

 

Marcos,
NOD32 has cleaned the active part out of that phishing email already?

 

NOD32_user ,

 

Yes, the part with a re-direct link was already removed by NOD32.

 

Ok, the e-mail should not be considered as phishing, but that's not visible from the outside. A warning is a warning and in such a case I don't open a mail and consequently cannot inspect the tag. But phishing or not, in case of any alert NOD32 should work properly and the question remains why this mail is not deleted, neither in the 'prompt' mode, nor in the 'delete' mode of the scan setting (and in the threat report). How come? Moreover, should I ever open e-mails with an alert? (Never open attachments, I know). Any advice on these points is welcome. Thanks anyway.

 

This should be because using Blackspears settings NOD32 was able to clean the email automatically without needing to alert you - in which case it is only deleted when cleaning of a detected threat is not possible.

 

You're right and I have been thinking of that. Point is, that I can't delete under the 'prompt' option and therefore am not sure what happens in the automatic option. Cleaning is not logged (or is it somewhere?). Can I safely open e-mail with an alert, so that I can see the tag? I'm learning (want to know what's going on in the background). Thanks.

 

The phising part of the email you submitted was removed before it reached ESET's mailbox.

If the Delete button is greyed out, the file has been deleted automatically by AMON (especially if it was created in the system temporary folder).

 

Delete button was active (red) and I could 'see' the action while pressing it. In the threat log the IMON module is mentioned, not the AMON module. Do all modules work and is it just by accident which one is mentioned? Can I open 'infected' e-mails? If the file was deleted automatically, how can I have sent it to you? Or was only the phishing part deleted? If so, how can I know? Still more questions. Thanks for your patience.

 

No , all should work and it is not by accident

No , because when you attempt to access the infected part , AMON will take part in the game

As far as I understood , the phishing part was deleted , the one that will redirect you to a fake address .

You'll know when NOD32 have pop-up and an on-demand scan appears clean . Also , you (the human) should be careful and not open any suspicious files nor answer or click on suspected emails/unknown senders . There is no free lunch , nobody will give you 1 million $$

 

Hi HiTech_boy,
I didn't suggest that modules run by accident, only that just IMON is mentioned in the threat log and not AMON. Does that mean that only IMON is involved in the threat handling?
On my question:'Can I open infected e-mails?' you answer: 'No , because when you attempt to access the infected part , AMON will take part in the game'.
Does the 'no' mean that it is impossible to do so, because AMON will take over, or does it mean 'you shouldn't do that' (free lunch up to $$1 M plus an infected PC).
I never take any risk. Afraid as hell + very, very bad experience with previous AV supplier. That's why I ask all these questions. Want to know how NOD32 works.

 

Information about absolutely everything can be found in the built-in help file . You can also read tutorials and user guides in the ESET's site (www.eset.com) or (www.eset.eu) or ask in NOD32's forum here at Wilders


NOD32 has 5 protection modules:

• AMON
• DMON
• EMON
• IMON
• NOD32 on-demand scanner

AMON is the Antivirus Monitor . It is most important protection which performs on-create , on-access and on-execute scans . By default scans all kind of files.

DMON is the Document Monitor . This scans API interface -MS Office document files and IE components such as ActiveX

EMON is the Email Monitor . This takes care for MS Office Outlook application

IMON is the Internet Monotor . This works in Winsock , early Windows level , and thus scans traffic before it even reaches your hard drive . It scans POP3 and HTTP , application independant so it protects all kind of POP3 mails and web-browsers


Learn how to protect your PC:

http://www.microsoft.com/protect
http://www.eset.eu/threat-center/security-tips
http://www.eset.eu/threat-centre/threat-dictionary
http://www.eset.eu/threat-center/threat-sense

 

Happy that you also mention this forum in your overview. Answers on very specific questions are not found in regular guides and tutorials. They arise as a consequence of the multitude of computer configurations. I do not always expect an answer, just look for people who have run into a comparable problem. If the problem proves to be a serious one, there will be many of them. In my case seemingly not (or I simply overlook something). I can live with that, no worries.

 

This is my second attempt at posting this. My first seems to have gotten lost somewhere.

I think I am missing something. Like the original poster, I am using TBird and have let it up a la Blackspear. I have received the exact email he refers to as well as probably over 150 like it during the time I have been using NOD32 (now ovwe 15 months). Each of the emails contained a link to a site requesting my rpivate info which I have been told is the definition of a phish. Never, ever, not even once has NOD32 done a thing about these messages. It has let me open them, it has let me click on the hperlinks and go to the fake sites, etc.

Marcos said that when it was sent to him NOD32 removed the malware parts before he received it. That's certainly not happening here.

Can anyone explain this to me?

Thanks.

Gary

 

NOD32 does not scan mail on encrypted connections and Thunderbird is not supported by EMON. Any change you receive your email through encrypted connections?

 

You mean IMON does not scan emails on encruption connections but NOD32 does scan encrupted mail using AMON

Yes , but EMON works only for MAPI interface -> MS Office Outlook

Any other mail client working with port 110 is being protected by IMON , later by AMON

 

...Thanks, need more coffee...

 

can I have a beer , please or a glass of Coca-Cola

 

SSK: I most definitely do not receive mail either encrypted or secure. Thunderbird is set to receive my POP mail as plain vanilla.

Gary