suspect e mail

Discussion in 'WormGuard' started by tutankamon, Dec 20, 2003.

Thread Status:
Not open for further replies.
  1. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all,
    This morning on checking my e mail, I found a suspicious file, It read " Re *********@********* : Balance due, missed payment" it supposedly came from`Taskmasters J. Murdered` (you will notice that I have not typed my correct e mail address in this post, but it was typed in correctly in the e mail) Now as far as I am aware I do not owe any one, anything, my payments are by direct debit, standing orders, credit card, or cash. So I suspected this file as a possible virus / worm. I am using the evaluation version of Worm guard. So what I did next was: created a new folder on my hard drive, right clicked on the suspect file, selected `save target as` saved it to the new folder on my hard drive, then I scanned it with AVG6, ok, nothing detected. I scanned it with TDS3, ok, nothing reported. I then scanned it with wormguard, Alert!! This file has triggered alerts in the wormguard engine`
    Risk assessment medium
    Security scripts detected. it then went on to list loads of text referring to page set up etc,etc, So I did not open this file.
    What do I do now?
    I forgot to mention when wormguard displayed the alert and said " sends e mail. it may be using e mail to propagate"
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tutankamon, Can you use the WG "view this file safely" option?
    I fo so can you see anything untoward?
    If you do not want to risk it, zip it & send to support@diamondcs.com.au for analysis.

    HTH Pilli
     
  3. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Pilli,
    Thanks for the reply, No it does not give me any options at all, (is it just because it is the evaluation version?) I right clicked on the folder but I cant get the "save" option, I opened the folder, there is just the icon for "show letter" which is rhe suspect file, I right clicked but again I cant see the "save" option. What is the procedure for zipping and sending? I am using Zip 995
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hmm, Can't remember whether the trial has a View safely button, check the help file for that.
    Zipping is usually achieved by right clicking the file and sending it to a Zip file say "suspicious.zip", once zipped send it to DCS
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Tut, interesting case. So the "view in safe mode" gives you the info about the file's source.

    Not sure if you're using Outlook Express or another email program?
    If i have a suspicious email i want to know without actually opening it, i make sure it doesn't appear in the preview by having another folder selected or another email; then press the search option and search that email for instance on date or sender name, whatever, anything to have it in that search window. If you select it without opening it, you can look in the properties and from there in the source.
    So you can read the whole source in a safe way, the same you would do in wormguard.
    So you know all the who and what from the email and possible infections or exploits.
    There you can also see a possible hidden attachment or code.
     
  6. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Jooske,
    I`m not sure that I understand the method you describe, dosn`t appear in which preview? which search? ( tried with search in the START menu, windows ME, found the file "show letter" clicked on properties,it simply told me that it was an HMTL document, opened by Internet Explorer created 20 december 2003" no reference to any source.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you using Outlook Express?
    that one has a search for messages.
    In OE stand in any other oplace then on that particular message, press the Edit > Search > put search options for that sender name or subject name or date, anything to keep it small > the message name will appear in the search console, without opening the actual message.
    So if you then select it (highlight, or one click on it, or rightclick) you will get a menu with one option for properties.
    The first will give only the full header and there is another button for details
    With that (enlarge the window) you can have a look in the full body of the message.

    I'm not familiar with other clients, in fact i expect something similar.

    You can easily look if there is something else but a normal text. It can also only harm (i think, if i'm wrong please correct me!) if there is a HTML message or an attachment -- if it is txt mode i would't expect dangers unless you would (be forced to) run the attachment, or with an HTML document a possible exploit or included code.

    You will notice in WG the source you can look into in safe mode looks the same more or less, be it that WG displays the suspicious lines.
    Makes it easier to decide what to do with the message, as you know the content and what is the possible alarm.

    Looking forward to the official DCS detection for you too.
     
  8. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    hello Jooske,
    No I am not using Outlook Express, I use Yahoo`s e mail service, which dosn`t have all the extras you mention. I zipped the suspect file and sent it to Diamond CS, I am awaiting an answer now.
    Incidently, when I scanned it with wormguard it did not give me the 3 options at the bottom of the window, it simply showed one box which said "OK" it allowed me view the file (perhaps "viewing in safe mode" was a default action in this case?) Reading the contents did not reveal any text like you expect in an e mail, lots of line refering to page setups and things like that, which I dont understand, but wormguard alerted me so I didnt open it
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Aha, using webmail?
    Unfortunately it is no longer possible in the free version of yahoo to have the email forwarded into your local email client like Outlook Express.
    Yahoo gives a possibility to look at the full header, not sure if you can see the whole sourse too.
    But as you zipped it to Gavin already you'll get an expert opinion soon enough.
    Mind you, yahioo is full with spam, i opened there the junkmail filters and that spares a lot which is immediately filtered out and i never read all that stuff, just one central delete button and zoooofff
    Report what still comes through as spam and next time it comes in the spambox too, spares you lot of worrying.

    Good that WG still jumped up for the email from online boxes, that is great!
     
  10. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hello again Jooske,
    Yes I had an e mail from Diamond CS saying that the file was OK, so I opened it and it was just another spam advert for credit cards. I have 2 folders in my e mail account with Yahoo. One is the `Bulk" folder where the majority of the spam goes, the other is my proper inbox. Like you, I would normaly delete everything in the Bulk folder, but the title of the file aroused my interest, and the fact that wormguard alerted me, raised my interest even further. So I have learned a few things from that.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Good you have been so very careful, and indeed it's just the question why WG alerted on that one. A sending emails does look like something very nasty.

    It can happen with serious emails too: forwarding them to others might activate an email harvester and certainly if the receivers react on it. I did not get such alerts yet, but others warned me about the possibilities of that!
    So once i recognise that i will try to cut such code out of emails i intend to forward to avoid people to get involved with things they're not asking for.
    Just sending them in TXT format where possible avoids all that, but you might have to paste all URLs back in for the receiver you want them to see!
     
  12. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    http://www.jmasoftware.com/english/products/web2pop/index.html
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes, i tried that one but never worked for me at all. Maybe an older version and a newer would be ok, dunno. Thanks for the link again.
     
  14. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Jooske,
    I try to keep safe, also, I do not have an address book, this is my choice, I think that if ever I am infected with an e mail virus, at least it will not be passed on to my contacts. This should stop it spreading beyond me.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you import emails in Outlook Express you can set it to warn for all kinds of misbehaviors and block them, (with dollefie's links you can do such things) as well as with the firewall, ZAPro for instance has options to use only the email account you allow to outgoing emails and a max per time period you tell it to be allowed to send, etc. I like to have some control i can see happening.
    Too often i got spam using my yahoo email account as a sender and i have not any way to find out if that was only to me or if i could have a risk of being blacklisted as a spammer; more because the yahoo support is among the most unhelpful i've ever experienced.
    (Illustration? I reported recently such spam which had used my accountname, as a got a bounced mailer-daemon; yahoo only sent a reply about lost passwords. They have not the slightest idea what people talk about and are responsible for keeping spam traffic alive in high gear. They might have automated their support and no human eyes looking at it at all, it seems. So i would never use them as my main email account for serious communication!)
    It can happen people who got your email address somewhere on their system because of emails, newslists, forwardings, got infected and so your email address can become a sender while there is nothing wrong with your system at all. (Remember Klez?)
    Your address can be harvested as must have happened with mine, etc. (maybe from the yahoo servers themselves)
    You could keep your own account in the addressbook with a strange username added to it, so maybe you would get email to that one so you know something is wrong.
    I stopped the holiday autoresponder there too, so spammers might not be sure if the account is valid.
     
Thread Status:
Not open for further replies.