Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo Mail


  • Please log in to reply
11 replies to this topic

#1 Morgan Dragonstar

Morgan Dragonstar

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 04 September 2009 - 09:00 AM

Hey all,

Even after explaining the definition of Trojan to my gf, she wants to know, is there something specific attacking her yahoo email account, something scans won't find? I told her to change her email password and run a new scan, but also told her I would ask, just for her and domestic tranquility.

thanks
Morgan

p.s. here is the link her email sent to all her email addresses: hxxp://rapidshare.com/files/275226375/install.exe?0,3316944

again, thanks.

Edited by Orange Blossom, 04 September 2009 - 11:45 AM.
Deactivated link to protect members. ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:44 AM

Posted 04 September 2009 - 11:49 AM

First a question. Is she using webmail or an e-mail client? In other words, does she get to her e-mail using IE, Firefox, or some other browser or is she using Outlook, Thunderbird or something else?

The answer to this question is very important.

Please note, that the link added to those e-mails is a malicious link.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:03:44 AM

Posted 04 September 2009 - 12:09 PM

Link posted is dangerous in 2 ways :

1. Normally Rapidshare links make you first go through a download page, wait for some seconds, then you click on download link. This is a direct download link from a premium account. One click on the posted link and you get the trojan. I have to say it was quite unexpected for me. I thought it would open a rapidshare page for downloading, but it started to download install.exe.

2. This link is TR/Crypt.XPACK.Gen [trojan] as reported by Avira. It did not let me download it :thumbsup:

#4 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:03:44 AM

Posted 04 September 2009 - 01:12 PM

Here is what MBAM showed for it: (downloaded file was called install.exe)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Dropper) -> No action taken.

Files Infected:
c:\documents and settings\Evelyn\Desktop\install.exe (Trojan.Dropper) -> No action taken.

Running MBAM again after deleting the file from my system.

NOTE: I did NOT open the file. All I did was save and scan it.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:44 AM

Posted 05 September 2009 - 01:49 PM

Hello Morgan Dragonstar,

It is important to know the answer to the question I posed earlier. How does your girlfriend read her e-mail: through web-mail or using an e-mail client?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Morgan Dragonstar

Morgan Dragonstar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 05 September 2009 - 11:09 PM

First a question. Is she using webmail or an e-mail client? In other words, does she get to her e-mail using IE, Firefox, or some other browser or is she using Outlook, Thunderbird or something else?

The answer to this question is very important.

Please note, that the link added to those e-mails is a malicious link.

Orange Blossom :thumbsup:



do any of you read english, sorry, it's my primary language, i said right in my post that the link i was posting is what the program sent out to Everyone in her address book. Therefore, Of Course it is Malicious! Second. It's yahoo mail. she is using vista as her os, and ie as her browser. so far, avast and a2 haven't gotten rid of it, neither has changing her email password, twice.

thanks all,
Morgan

#7 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:44 AM

Posted 05 September 2009 - 11:32 PM

The rude comment about reading English was totally uncalled for. And No you did NOT answer the question, with the information in your first post, asked about how the email is handled. Which is your girlfriend using a browser or an email client? You did however include it in you confrontational post above. So thank you for that.

You might want to review the rules of this forum, before continuing to post. I'll add one quote here thats applicable, now.

There will be no posts meant to offend or hurt any other member, in a manner which is offensive or inflammatory. This includes flaming or instigating arguments.


The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:03:44 AM

Posted 06 September 2009 - 10:22 AM

You did not state that the link was malicious. What you did say was the link was sent out to her contacts. It was easy for me to figure out that it was a malicious link. However, the possibility exists others less knowledgeable would not know it was a bad link, and could have opened it-therefore becoming infected themselves.
Common sense dicates that one should not post a clickable malicious link.

Has she scanned her computer with other tools such as Malwarebytes AntiMalware, SuperAntiSpyware, and an on-line virus scanner?
Links to these tools can be found here:
http://www.bleepingcomputer.com/forums/topic3616.html

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:44 AM

Posted 06 September 2009 - 05:40 PM

Hello Morgan Dragonstar,

i said right in my post that the link i was posting is what the program sent out to Everyone in her address book. Therefore, Of Course it is Malicious!


Actually, that doesn't in and of itself make the link malicious. It could simply be spam.

Second. It's yahoo mail. she is using vista as her os, and ie as her browser.


I knew from the first post that she is using Yahoo mail; however, Yahoo mail can be read either through a browser or through an e-mail client using pop-3

I see in your second post that she uses IE as a browser, but that still does not answer the question of whether she uses the browser to access her e-mail or if she uses an e-mail client to access her e-mail.

I still await a clear answer to that question.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 Morgan Dragonstar

Morgan Dragonstar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 06 September 2009 - 09:12 PM

ok, i must say that i do not understand the question then. i have said. she, and I use IE, that is internet explorer. yahoo is our home page. sign in right there, and we're at our email. please let me know how much clearer i can be.

we click on the ie icon to get to our homepage.

thank you. please do note that these are my first posts here, things have been stressfull enough at work, then to come home and find the joy of my life mad because her email is sending everyone she has in her address book an evil link. i thought by bringing the link here, someone could say, oh i know what does this, you fix it with this.....

it was never my intent that anyone click that link.

I am a very peaceful person, generally.

thank you all again,
Morgan

Edited by Orange Blossom, 07 September 2009 - 12:59 AM.
Remove unnecessary quote. ~ OB


#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:44 AM

Posted 07 September 2009 - 12:57 AM

Hello there,

From what you describe, she is using webmail. That is she gets to her e-mail using a browser, in her case, Internet Explorer. She could be completely computerless, go to a computer at the Public Library, and still get to her e-mail and read all the mail and read the address book.

Since this is the case, it is highly unlikely the problem is caused by an infection on her computer. I don't say it is impossible, however.

It is possible that Yahoo's server has been infected. It is also possible that your girl-friend's e-mail account has been compromised. I had that happen when I didn't even own a computer. I'd suggest creating a completely different e-mail account, and don't choose a common user name or variant of one, possibly refraining from Yahoo in case the problem is at Yahoo's end. Then, DO NOT post that e-mail address anywhere on the internet as spambots regularly go through and harvest them and you could end up being both the recipient and "sender" of spam.

Also, you may wish to be certain that IE's security settings are not too loose.

Please read these topics for information about browsing safely on the internet:

http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

http://www.bleepingcomputer.com/forums/t/123660/best-practices-internet-safety-for-2008/

One other possibility has occurred to me. If she has at any time sent an e-mail to everyone in her address book and used Carbon Copy (CC) or simply "to" for all those addresses, it is possible that someone else's computer is compromised and is responsible for sending out the bad e-mail.

When sending e-mail to more than one person, you should use Blind Carbon Copy (BCC) unless it is necessary for both recipients to be aware of each other. Using Blind Carbon Copy will prevent the e-mail addresses from being seen by the other recipients.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:03:44 AM

Posted 07 September 2009 - 06:49 AM

I would add my little bit :

In Yahoo! web mail the only possibility of sending link to this file, seems to be in the Signature field.
Goto Options > Mail Options > Signature and select Do not use a signature. See if this makes any difference.

If the email was sent automatically to all addresses, then some malware might be at work in IE running its scripts. You should stop using IE and use Opera instead.

Do you use Yahoo! Instant Messenger or any other Instant Messenger that supports Yahoo! for chatting etc and is it kept online?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users