Hi all, This morning on checking my e mail, I found a suspicious file, It read " Re *********@********* : Balance due, missed payment" it supposedly came from`Taskmasters J. Murdered` (you will notice that I have not typed my correct e mail address in this post, but it was typed in correctly in the e mail) Now as far as I am aware I do not owe any one, anything, my payments are by direct debit, standing orders, credit card, or cash. So I suspected this file as a possible virus / worm. I am using the evaluation version of Worm guard. So what I did next was: created a new folder on my hard drive, right clicked on the suspect file, selected `save target as` saved it to the new folder on my hard drive, then I scanned it with AVG6, ok, nothing detected. I scanned it with TDS3, ok, nothing reported. I then scanned it with wormguard, Alert!! This file has triggered alerts in the wormguard engine` Risk assessment medium Security scripts detected. it then went on to list loads of text referring to page set up etc,etc, So I did not open this file. What do I do now? I forgot to mention when wormguard displayed the alert and said " sends e mail. it may be using e mail to propagate"
Hi tutankamon, Can you use the WG "view this file safely" option? I fo so can you see anything untoward? If you do not want to risk it, zip it & send to support@diamondcs.com.au for analysis. HTH Pilli
Hi Pilli, Thanks for the reply, No it does not give me any options at all, (is it just because it is the evaluation version?) I right clicked on the folder but I cant get the "save" option, I opened the folder, there is just the icon for "show letter" which is rhe suspect file, I right clicked but again I cant see the "save" option. What is the procedure for zipping and sending? I am using Zip 995
Hmm, Can't remember whether the trial has a View safely button, check the help file for that. Zipping is usually achieved by right clicking the file and sending it to a Zip file say "suspicious.zip", once zipped send it to DCS
Hi Tut, interesting case. So the "view in safe mode" gives you the info about the file's source. Not sure if you're using Outlook Express or another email program? If i have a suspicious email i want to know without actually opening it, i make sure it doesn't appear in the preview by having another folder selected or another email; then press the search option and search that email for instance on date or sender name, whatever, anything to have it in that search window. If you select it without opening it, you can look in the properties and from there in the source. So you can read the whole source in a safe way, the same you would do in wormguard. So you know all the who and what from the email and possible infections or exploits. There you can also see a possible hidden attachment or code.
Hi Jooske, I`m not sure that I understand the method you describe, dosn`t appear in which preview? which search? ( tried with search in the START menu, windows ME, found the file "show letter" clicked on properties,it simply told me that it was an HMTL document, opened by Internet Explorer created 20 december 2003" no reference to any source.
Are you using Outlook Express? that one has a search for messages. In OE stand in any other oplace then on that particular message, press the Edit > Search > put search options for that sender name or subject name or date, anything to keep it small > the message name will appear in the search console, without opening the actual message. So if you then select it (highlight, or one click on it, or rightclick) you will get a menu with one option for properties. The first will give only the full header and there is another button for details With that (enlarge the window) you can have a look in the full body of the message. I'm not familiar with other clients, in fact i expect something similar. You can easily look if there is something else but a normal text. It can also only harm (i think, if i'm wrong please correct me!) if there is a HTML message or an attachment -- if it is txt mode i would't expect dangers unless you would (be forced to) run the attachment, or with an HTML document a possible exploit or included code. You will notice in WG the source you can look into in safe mode looks the same more or less, be it that WG displays the suspicious lines. Makes it easier to decide what to do with the message, as you know the content and what is the possible alarm. Looking forward to the official DCS detection for you too.
hello Jooske, No I am not using Outlook Express, I use Yahoo`s e mail service, which dosn`t have all the extras you mention. I zipped the suspect file and sent it to Diamond CS, I am awaiting an answer now. Incidently, when I scanned it with wormguard it did not give me the 3 options at the bottom of the window, it simply showed one box which said "OK" it allowed me view the file (perhaps "viewing in safe mode" was a default action in this case?) Reading the contents did not reveal any text like you expect in an e mail, lots of line refering to page setups and things like that, which I dont understand, but wormguard alerted me so I didnt open it
Aha, using webmail? Unfortunately it is no longer possible in the free version of yahoo to have the email forwarded into your local email client like Outlook Express. Yahoo gives a possibility to look at the full header, not sure if you can see the whole sourse too. But as you zipped it to Gavin already you'll get an expert opinion soon enough. Mind you, yahioo is full with spam, i opened there the junkmail filters and that spares a lot which is immediately filtered out and i never read all that stuff, just one central delete button and zoooofff Report what still comes through as spam and next time it comes in the spambox too, spares you lot of worrying. Good that WG still jumped up for the email from online boxes, that is great!
Hello again Jooske, Yes I had an e mail from Diamond CS saying that the file was OK, so I opened it and it was just another spam advert for credit cards. I have 2 folders in my e mail account with Yahoo. One is the `Bulk" folder where the majority of the spam goes, the other is my proper inbox. Like you, I would normaly delete everything in the Bulk folder, but the title of the file aroused my interest, and the fact that wormguard alerted me, raised my interest even further. So I have learned a few things from that.
Good you have been so very careful, and indeed it's just the question why WG alerted on that one. A sending emails does look like something very nasty. It can happen with serious emails too: forwarding them to others might activate an email harvester and certainly if the receivers react on it. I did not get such alerts yet, but others warned me about the possibilities of that! So once i recognise that i will try to cut such code out of emails i intend to forward to avoid people to get involved with things they're not asking for. Just sending them in TXT format where possible avoids all that, but you might have to paste all URLs back in for the receiver you want them to see!
Yes, i tried that one but never worked for me at all. Maybe an older version and a newer would be ok, dunno. Thanks for the link again.
Hi Jooske, I try to keep safe, also, I do not have an address book, this is my choice, I think that if ever I am infected with an e mail virus, at least it will not be passed on to my contacts. This should stop it spreading beyond me.
If you import emails in Outlook Express you can set it to warn for all kinds of misbehaviors and block them, (with dollefie's links you can do such things) as well as with the firewall, ZAPro for instance has options to use only the email account you allow to outgoing emails and a max per time period you tell it to be allowed to send, etc. I like to have some control i can see happening. Too often i got spam using my yahoo email account as a sender and i have not any way to find out if that was only to me or if i could have a risk of being blacklisted as a spammer; more because the yahoo support is among the most unhelpful i've ever experienced. (Illustration? I reported recently such spam which had used my accountname, as a got a bounced mailer-daemon; yahoo only sent a reply about lost passwords. They have not the slightest idea what people talk about and are responsible for keeping spam traffic alive in high gear. They might have automated their support and no human eyes looking at it at all, it seems. So i would never use them as my main email account for serious communication!) It can happen people who got your email address somewhere on their system because of emails, newslists, forwardings, got infected and so your email address can become a sender while there is nothing wrong with your system at all. (Remember Klez?) Your address can be harvested as must have happened with mine, etc. (maybe from the yahoo servers themselves) You could keep your own account in the addressbook with a strange username added to it, so maybe you would get email to that one so you know something is wrong. I stopped the holiday autoresponder there too, so spammers might not be sure if the account is valid.
