Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Email Worm or Trojan?


  • Please log in to reply
4 replies to this topic

#1 won7derOZ

won7derOZ

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 02 June 2012 - 02:19 PM

Hi - this is my first time posting to the site.

A few days ago my husband made the mistake of clicking on a link from a friend of his. The email looked like and seemed to be written in a manner that did not make my husband suspicious so he clicked on it (his friend had sent similar emails before). He stated it took him to some weird ad site. Approx 1-2 days later he noticed his yahoo email started getting a ton of failure notice emails (from the MAILER-DAEMON@yahoo.com). It appeared that his email(maybe his computer?) got compromised when he clicked on the link.

He immediately contacted the friend and the friend confirmed it was some kind of virus email. From what we could tell it went though his entire contact list and emailed everyone with in his list with the bad link. We contacted all those on his list to let them know his email had been compromised.

It also added several emails addresses to his contact list that we did not recognize. We were freaked out so we deleted it - now I wish I wrote them down as that we can't recall what they were. All the bad emails that got sent out were similar in nature.

We deleted all the failure notice emails and ran Malware Bytes as well as MSE scans. The scans did not find anything. We also immediately changed all passwords and security questions.

However - we are really worried that our computer has some kind of trojan or worm or something worse that was not picked up by the scans?

Below is a copy of the email that went that had gone out and then came back as a failure notice. (Removed personal email addresses)
We would appreciate any help provided!

--------------


Received: from [98.139.212.148] by nm2.bullet.mail.bf1.yahoo.com with NNFMP; 31 May 2012 01:28:53 -0000
Received: from [98.139.212.236] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 31 May 2012 01:28:53 -0000
Received: from [127.0.0.1] by omp1045.mail.bf1.yahoo.com with NNFMP; 31 May 2012 01:28:53 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 618846.56323.bm@omp1045.mail.bf1.yahoo.com
Received: (qmail 75846 invoked by uid 60001); 31 May 2012 01:28:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1338427732; bh=/q9PpqusCdVpklG5qxJ7bjS/tc4xPMXqTz5qYvDF0mQ=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=jPp8F48VPhYPRwGREnrGAUBnJely3E/KWB1YJCb5qqUQzEK7y82b/jX1WjxZJTQi+hqmFeGTVWw+zHjroYU7YXi0ssh1ceKrjIfM0IisC4GT26dJ/G7dJDuB4kCYYxCq18HvFKHKSy4c/vJse7JPGIyva+Tcg3+JjWiIwUTZ5zM=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
b=q1YuJ/ayCWWdOzvDFIk/faYzZY/8K6EzuMRbqB4ySNTXkjIOvoiF1Uvz2NSlmvPoCr5AOo/+26UwysjpkRk9/X42c3XnxHmTC1Ru/BF9ZeQt0mO9FegNCu3hXHCOg5AjVqcM7o7DNsqMPGQRSgY9DMr8Pr7qw51M3CoJn98B8qM=;
X-YMail-OSG: imzebbMVM1kq3e.ynqiYBVhyhR9nvBsfYGU0asscbZm1qtJ
KtKtqQ1l0zArd95mzDCX.2zYpVrZDWJ4N7ShSCJwnSSoIcVfhLTbGbmcK2Sf
CvkuOnYVnerbjoJZ.MnazI4_CiwM7OEPbM9ZxXqXxQ5poMjbWYOt1Ry_H1s_
MGHE_uYe6BkY.3dMXx_N5MuqRtJNxakyqwUBVRhdZQq48ASogvp57ezlOFv.
DjE_19GBAqJCbLne8TNsRHMLvJNI8lGEKhS7Ecu5rDjI72gFTg2ncxECt7Zp
.79yToOd3LzX.nAD.9XqEBlLR4RlzkArKGQVNYVDGmz87r6RPEsyliFIVbY0
S2yZZ6H3Ys9QzokgptpugMZQguyLIzHgebOUOI3JNhY_PrRJQvG4NfoBUipg
AHylCXvkxpo074Fenp9Z_JXvlp0KH3RrpGNifkOhhuJhn0fOu.dl7cfREEQJ
CvHP0k2ZBX8.Scruc4pLYYrRt_C3qDtikiBi9zh_yO8p7iP4g8thLy7GcTGL
fr2BWiBNW1g--
Received: from [14.96.136.77] by web39406.mail.mud.yahoo.com via HTTP; Wed, 30 May 2012 18:28:52 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1338427732.71833.BPMail_high_noncarrier@web39406.mail.mud.yahoo.com>
Date: Wed, 30 May 2012 18:28:52 -0700 (PDT)
From:
Subject: RE:
To:
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

wow this is crazy check it out
httpxx://xxwww.stenews.net/biz/?news=9708457xxxx[/b] Mod Edit: Disabled potentially dangerous link - Hamluis.

Edited by hamluis, 02 June 2012 - 04:44 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:01 AM

Posted 02 June 2012 - 04:17 PM

This had happened to me, and once I changed my password the emails stopped its some sort of Yahoo Vulnerability. You did the right right things.

If you can since you are here post the malwarebytes logs from the scan you did?

#3 won7derOZ

won7derOZ
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 03 June 2012 - 02:59 PM

Thank you for your replay to my post. I had to redo the malware bytes scan as that my husband had not saved the log file. It did not find anything. My worry is that maybe there is something else on our computer from clicking on the bad link that may not have been seen by the scan?

------------
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.03.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tom :: TOM-M57 [administrator]

6/3/2012 12:42:01 PM
mbam-log-2012-06-03 (12-42-01).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 358663
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:01 AM

Posted 03 June 2012 - 03:20 PM

Someone clicked it, because this happened to me. I clicked a link, and mail was being sent out.

#5 RobertPlattBell

RobertPlattBell

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 13 June 2012 - 01:37 PM

Got the same e-mail about two days ago. I foolishly clicked on the link. Today at 1:43 PM it sends out the e-mail via Yahoo (I was logged in, using the Calendar) to about a half-dozen names, plus "scklweorpkwpokwerpko@mail.com" - a monitoring address, I guess, to see who is sending.

I caught it early as the MAILER_DEMON bounced one of the older contacts.

(I e-mailed the people on the list and told them not to click on the link).

Malwarebyes found "Trojan.Happili" in dm9E25.exe and "Trojan.Downloader" at "about[1].exe" both of which I quarantined.

I have run Malwarebytes three times now (and updated the database) and it is clean. Spybot keeps finding a tracking cooking but that's it.

I ran KDDSkiller, and checked the DNSchanger eyechart, so it doesn't appear to be redirecting.

Some sort of program opened a browser, and since Yahoo was already logged in, forwarded the e-mail.

The e-mail reads:


this is crazy you should give it a look http: //www.business15nanews. net/work/ ?news=7505153

and it sells a work-at-home scam.

So far, it appears to be harmless, as it just propagates the annoying e-mail.

What possessed me to click on the link is beyond me. I know better than that!

I changed my Yahoo password (but I don't think that is the issue, they are sending it from your computer, I believe, and yes, the message appears in your SENT box).

Since I no longer use Yahoo for e-mail, I deleted the contacts list. That should STARVE it to death, perhaps.

Last log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.16982
RPB2 :: RPB2-PC [administrator]

6/13/2012 12:54:59 PM
mbam-log-2012-06-13 (12-54-59).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 514977
Time elapsed: 1 hour(s), 30 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Previous Log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.16982
RPB2 :: RPB2-PC [administrator]

6/13/2012 11:01:53 AM
mbam-log-2012-06-13 (11-01-53).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 515616
Time elapsed: 1 hour(s), 42 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\RPB2\AppData\Local\Temp\dm9E25.exe (Trojan.Happili) -> Quarantined and deleted successfully.

(end)

Previous Log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.16982
RPB2 :: RPB2-PC [administrator]

6/13/2012 10:03:05 AM
mbam-log-2012-06-13 (10-03-05).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 129668
Time elapsed: 47 minute(s), 7 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\RPB2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JQX3ODFO\about[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

(end)

I am going to run it ONE MORE TIME!

I also created a FILTER that sends any e-mail with "this is crazy you should give it a look" into the SPAM box!

Edited by RobertPlattBell, 13 June 2012 - 01:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users