Malware not deleted

Discussion in 'NOD32 version 2 Forum' started by quser, Aug 24, 2006.

Thread Status:
Not open for further replies.
  1. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    I get mails from “The fifth third bank” and variants. It contains a trojan called “HTML/Phishing.gen trojan”.
    I consider two settings of NOD32:
    1. In my set up I ask for alerts and prompts. When the mail comes in, an alert appears, but the “delete-button” doesn’t work. The mail remains in my inbox and I have to delete manually.
    2. In my set up I strictly follow Blackspear’s instructions. When the mail comes in I get no warning and the mail is not deleted. It is just that I remember from earlier experience with this sender that the mail contains malware and I also can see that it is quarantined. But it is not deleted. This means that if I didn’t remember this sender, I would not have had an indication that it contained malware. It cannot be expected that one is going to check quarantine every time that mail comes in in order to see if it eventually contains malware but is not deleted.
    Under option 1 I get a warning at least. Under option 2 this infected mail may slip through.
    Under option 1 the threat log says under action: “contained infected files”.
    Under option 2 it says under action: “quarantined - contained infected files”.
    Am I doing something wrong? Any adviceo_O?
    Thanks.
     
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Could you give more details? Web-based mail? Or do you use a mail client, if so, which one?
     
  3. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    Just ordinary mail (not web based). I use Mozilla Thunderbird (version 1.0.6). Got this message four or five times during the last two weeks. In depth-analysis and on line scan doesn't show malware (I guess the quarantined files are made harmless; anyway I scanned the ESET map in particular and found nothing).
    In an earlier experiment I copied the infected file (right click on the mail and 'save as') to my experiments-partition and scanned the copy. No alert. However I don't like to experiment with infected messages. The message is quarantined in three separate parts under the same name.o_O
     
  4. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    The beast came in again. IMON is the module that reports the virus threat. Had my scan setting on “prompt for an action” this time. Delete button didn’t work again. Saved the file in a ‘virus map’ in my experiments partition. Scanned it. No threats found.
    My questions remain: why the alert? why does the delete button not work? and why do I find no threat in the saved file (I didn't clean)?
    Any tech interested in the mail message that causes this? It’s available.
    Feel somewhat uncomfortable with things I do not understand. If I’m doing stupid things, please tell me.
    It is pretty silent out there.:doubt:
     
  5. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    Sent the malware to 'samples@eset.com'. Stupid indeed that I didn't notice ronjors sticky. Nevertheless I hope that someone can comment on the fact that I can't delete.:ouch:
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Email like this should not be considered a phising. There are just a couple of words and an image attached. It does not direct you to any website.

    X-Account-Key: account1
    Received: from hpsmtp-eml03.kpnxchange.com ([10.94.77.137]) by CPEXBE-EML02.kpnsp.local with Microsoft SMTPSVC(6.0.3790.211);
    Sun, 27 Aug 2006 00:08:48 +0200
    Received: from pool-72-77-107-254.pitbpa.east.verizon.net ([72.77.107.254]) by hpsmtp-eml03.kpnxchange.com with Microsoft SMTPSVC(6.0.3790.211);
    Sun, 27 Aug 2006 00:08:46 +0200
    From: "FIFTH THIRD bank" <online_support_id_3328015.cust@53.com>
    To: <[removed]>
    Subject: **SPAM** **SPAM USA 72.77.107.254** [virus HTML/Phishing.gen trojan] Fifth Third Bank: Urgent Security Notice For Client [Sat, 26 Aug 2006 22:08:48 +0300]
    Date: Sat, 26 Aug 2006 22:08:48 +0300
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_006A_01C6C93A.AD5CBCE0"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1106
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    Return-Path: dacia@01-stay-in-paris-hotels.com
    Message-ID: <HPSMTP-EML03MLHclKb0006bac6@hpsmtp-eml03.kpnxchange.com>
    X-OriginalArrivalTime: 26 Aug 2006 22:08:47.0039 (UTC) FILETIME=[33D4B4F0:01C6C95C]
    X-NOD32Result: Infected, HTML/Phishing.gen trojan
    X-SpamPal: SPAM USA 72.77.107.254


    This is a multi-part message in MIME format.

    ------=_NextPart_000_006A_01C6C93A.AD5CBCE0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_006B_01C6C93A.AD5CBCE0"


    ------=_NextPart_001_006B_01C6C93A.AD5CBCE0
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    spar clod, wady bud box, nose hock worn oxenply yak grin shapup yard=20
    jamneck muss flag endbeet jamb shopchop pale hale curl chum vallydoat=20
    Adamwere sadpainlark harpbeat leftlit caul ion fan pore nip Hun hock=20
    zoonprim ami lobe AIDSwedinn lev loan bit Pole clickbedonly dolt theyelf=20
    goldpaxneed typeclap move swimelf bias job chut swayrob bask fief deer=20
    blub pert palm type wavelama sty care fee quartwiry dough boor torn has=20
    tan Thai meek knaphind youth pane jest tyre zealmush wary gowk snip=20
    self grog hoop rill crabwhy limb tomb bend mop lake cow brag riot gumgig=20
    pan, pal pram Bath, lousy rage edge incoke ray flop aura due musttyre=20
    win wit nabgig well plotboor lyre gong he`s wary venaeven tarnoily=20
    litprywing dillad mimedriv crab lest zone do not it long wept lispyowl=20
    does lag pitcaynix Zen vox wry rude duffdroppal ace mashrat jampopreck=20
    sirekid lash flapbade gold duel sole gashvile ewe barn thou how it`s=20
    bosh pleb gooduva hewn navy be lagwhig into mite lousy cue what is junk=20
    punt issoap volt flaw that dope safecalk driv wave mis- thin brow lap=20
    hope throlick vice bled by lamp boo jug saw thin thinsilt lawn, net aim=20
    mug, keg hack must stowtar keg test duet ague pushub boll ket comacurl=20
    tomb wagpoll fit noon gong loom axessnug chitgear cabbagcameAxis orcoy=20
    doitado urn poor doll tell us sink gale dudsip just self corneachwoof=20
    feat guy boss nick dewyellsnafu our dregfull fasttipscow pray!! glitz=20
    shoocrab flux lute hog zanydial old acre boll swam aged par butt=20
    poolshoo soil fame dung tackwise pray peon lull yaud bee sip wet=20
    voltslum prod abut bud till soilwadi door bat spar imp mega wark sate=20
    peltperi lame shin punt tipoff mess loon valu Tom rift

    __________ NOD32 1.1727 (20060826) Warning __________

    Warning: NOD32 antivirus system found the following in the message:
    part001.htm - HTML/Phishing.gen trojan - quarantined - deleted

    http://www.eset.com


    ------=_NextPart_001_006B_01C6C93A.AD5CBCE0
    Content-Type: text/plain
    X-Removed: Removed by NOD32 Antivirus System



    ------=_NextPart_001_006B_01C6C93A.AD5CBCE0--


    ------=_NextPart_000_006A_01C6C93A.AD5CBCE0
    Content-Type: image/png;
    name="XK3LBLIE.PNG"
    Content-Transfer-Encoding: base64
    Content-ID: <006901c6c95c$346e5ce0$6c822ecf@JM5EV0>

    iVBORw0KGgoAAAANSUhEUgAAAtMAAAHACAMAAABXgBSrAAAABGdBTUEAALGPC/
    [removed to save space]
    ------=_NextPart_000_006A_01C6C93A.AD5CBCE0--
     
  7. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Marcos,
    NOD32 has cleaned the active part out of that phishing email already?
     
  8. ASpace

    ASpace Guest

    NOD32_user ,


    :D :D :D
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yes, the part with a re-direct link was already removed by NOD32.
     
  10. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    Ok, the e-mail should not be considered as phishing, but that's not visible from the outside. A warning is a warning and in such a case I don't open a mail and consequently cannot inspect the tag. But phishing or not, in case of any alert NOD32 should work properly and the question remains why this mail is not deleted, neither in the 'prompt' mode, nor in the 'delete' mode of the scan setting (and in the threat report). How come? Moreover, should I ever open e-mails with an alert? (Never open attachments, I know). Any advice on these points is welcome. Thanks anyway.:doubt:
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    This should be because using Blackspears settings NOD32 was able to clean the email automatically without needing to alert you - in which case it is only deleted when cleaning of a detected threat is not possible.
     
  12. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    You're right and I have been thinking of that. Point is, that I can't delete under the 'prompt' option and therefore am not sure what happens in the automatic option. Cleaning is not logged (or is it somewhere?). Can I safely open e-mail with an alert, so that I can see the tag? I'm learning (want to know what's going on in the background). Thanks.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The phising part of the email you submitted was removed before it reached ESET's mailbox.

    If the Delete button is greyed out, the file has been deleted automatically by AMON (especially if it was created in the system temporary folder).
     
  14. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    Delete button was active (red) and I could 'see' the action while pressing it. In the threat log the IMON module is mentioned, not the AMON module. Do all modules work and is it just by accident which one is mentioned? Can I open 'infected' e-mails? If the file was deleted automatically, how can I have sent it to you? Or was only the phishing part deleted? If so, how can I know? Still more questions. Thanks for your patience.o_O
     
  15. ASpace

    ASpace Guest

    No , all should work and it is not by accident :)

    No , because when you attempt to access the infected part , AMON will take part in the game :D

    As far as I understood , the phishing part was deleted , the one that will redirect you to a fake address .

    You'll know when NOD32 have pop-up and an on-demand scan appears clean . Also , you (the human) should be careful and not open any suspicious files nor answer or click on suspected emails/unknown senders . There is no free lunch , nobody will give you 1 million $$

    :thumb:
     
  16. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    Hi HiTech_boy,
    I didn't suggest that modules run by accident, only that just IMON is mentioned in the threat log and not AMON. Does that mean that only IMON is involved in the threat handling?
    On my question:'Can I open infected e-mails?' you answer: 'No , because when you attempt to access the infected part , AMON will take part in the game'.
    Does the 'no' mean that it is impossible to do so, because AMON will take over, or does it mean 'you shouldn't do that' (free lunch up to $$1 M plus an infected PC).
    I never take any risk. Afraid as hell + very, very bad experience with previous AV supplier. That's why I ask all these questions. Want to know how NOD32 works.
    :thumb: :thumb:
     
  17. ASpace

    ASpace Guest

    Information about absolutely everything can be found in the built-in help file . You can also read tutorials and user guides in the ESET's site (www.eset.com) or (www.eset.eu) or ask in NOD32's forum here at Wilders


    NOD32 has 5 protection modules:
    • AMON
    • DMON
    • EMON
    • IMON
    • NOD32 on-demand scanner

    AMON is the Antivirus Monitor . It is most important protection which performs on-create , on-access and on-execute scans . By default scans all kind of files.

    DMON is the Document Monitor . This scans API interface -MS Office document files and IE components such as ActiveX

    EMON is the Email Monitor . This takes care for MS Office Outlook application

    IMON is the Internet Monotor . This works in Winsock , early Windows level , and thus scans traffic before it even reaches your hard drive . It scans POP3 and HTTP , application independant so it protects all kind of POP3 mails and web-browsers


    Learn how to protect your PC:

    http://www.microsoft.com/protect
    http://www.eset.eu/threat-center/security-tips
    http://www.eset.eu/threat-centre/threat-dictionary
    http://www.eset.eu/threat-center/threat-sense
    :D :thumb:
     
  18. quser

    quser Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    21
    Happy that you also mention this forum in your overview.;) Answers on very specific questions are not found in regular guides and tutorials. They arise as a consequence of the multitude of computer configurations. I do not always expect an answer, just look for people who have run into a comparable problem. If the problem proves to be a serious one, there will be many of them. In my case seemingly not (or I simply overlook something). I can live with that, no worries. :thumb:
     
  19. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    This is my second attempt at posting this. My first seems to have gotten lost somewhere.

    I think I am missing something. Like the original poster, I am using TBird and have let it up a la Blackspear. I have received the exact email he refers to as well as probably over 150 like it during the time I have been using NOD32 (now ovwe 15 months). Each of the emails contained a link to a site requesting my rpivate info which I have been told is the definition of a phish. Never, ever, not even once has NOD32 done a thing about these messages. It has let me open them, it has let me click on the hperlinks and go to the fake sites, etc.

    Marcos said that when it was sent to him NOD32 removed the malware parts before he received it. That's certainly not happening here.

    Can anyone explain this to me?

    Thanks.

    Gary
     
  20. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    NOD32 does not scan mail on encrypted connections and Thunderbird is not supported by EMON. Any change you receive your email through encrypted connections? :)
     
  21. ASpace

    ASpace Guest

    You mean IMON does not scan emails on encruption connections but NOD32 does scan encrupted mail using AMON

    Yes , but EMON works only for MAPI interface -> MS Office Outlook

    Any other mail client working with port 110 is being protected by IMON , later by AMON

    :thumb:
     
  22. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    ...Thanks, need more coffee... :gack:
     
  23. ASpace

    ASpace Guest

    can I have a beer , please :D :D :D or a glass of Coca-Cola ;)
     
    Last edited by a moderator: Aug 31, 2006
  24. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    SSK: I most definitely do not receive mail either encrypted or secure. Thunderbird is set to receive my POP mail as plain vanilla.

    Gary
     
Thread Status:
Not open for further replies.