Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this email a trojan or attempted spyware? Dr-web daemon mail in email


  • Please log in to reply
7 replies to this topic

#1 BustedFlush

BustedFlush

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 12 November 2016 - 07:58 AM

Firstly i apologise for not being very technically aware. i have become very wary about potential spyware and other malicious attacks of late, and have been trying to learn on the fly. I am using a MacBook pro OSX Yosemite 10.10.5

 

i received this email about three weeks ago, which i have recently, while combing through my previous mails looking for anything suspcious, rediscovered.  I have never received anything from the sender, but sadly do not remember if i clicked on it or any other action when i received it. I did not reply to the message as was instructed in the mail though. 

 

It also contained a file attached called 'no-name', which sadly i cannot recall if i clicked or not.

 

Who or what is the mail from? I can only assume it is an attempt to get into my system. I have since activated firewall and run through a number of security tightening measures, activating stealth mode, deleting cookies and such, but fear that these people are so far ahead of me in knowledge that my attempts may be futile.

 

I am sorry if this is basic, i ran a search in the forum and couldnt see anything similar. If someone could give me an idea what this means i would really appreciate it.

 

Thanks

 

DrWeb-DAEMON <DrWEB-DAEMON@plesk135.red166.trevenque.es>
cleardot.gifOct 24
cleardot.gif
 
cleardot.gif
cleardot.gif
to me
cleardot.gif
 
 
 
 
 
Dear User,

A message with the following attributes was not delivered because it contains an infected object.

Sender = my addres (redacted)
Recipients = margen@margenlibros.com
Subject =  Receipt 79-0396
Message-ID =  <90bfd5e9.b6eb9407.201fb.00be@mx.google.com>

Antivirus filter report:
--- Antivirus report ---
The following viruses were found:
Known virus(es):
JS.DownLoader.1225

Detailed report:
127.0.0.1 [12733] drweb.tmp.InAzGc - archive MAIL
127.0.0.1 [12733] >drweb.tmp.InAzGc/3.part infected with JS.DownLoader.1225

Scanning statistics:
Known viruses : 1

--- Antivirus report ---

The original message was stored in an archive record named:
drweb.quarantine.QmydS3
In order to receive the original message, please send a request to
<postmaster>, referring to the archive record
name given above.

Edited by BustedFlush, 12 November 2016 - 08:14 AM.


BC AdBot (Login to Remove)

 


#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 13 November 2016 - 09:06 AM

DrWEB-DAEMON is simply the name of the user or process that sent the email. It is almost certainly spam.

 

The email contained an attachment with a known virus, JS.DownLoader.1225. https://www.symantec.com/security_response/writeup.jsp?docid=2003-102718-1528-99

 

However, it only seems to affect Windows systems, so even if it did "install" on your Mac, it probably won't do much. Are you having performance issues or trouble loading websites? Just to be on the safe side, you might want to install a free trial of a Mac-specific AV application and run a full scan of your system.



#3 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 13 November 2016 - 09:17 AM

Thanks a lot SflatechGuy, 

 

Not really experiencing anything problemtatic, though i did have a brief episode of having a lot of 'Aw Snap' messages and inability loading websites, but that seems to have cleared up.

 

I am worried that someone is targeting me specifically in order to access my information, this may seem vague but that's what's driven me to learn more. The timing of the DrWeb email would fit with this. Do you think it could have been sent by an individual in this manner?

 

I ran Malwarebytes full scan and came up with nothing. Is that enough or do you recommend other software? Is that what you mean by 'Mac specific AV app'?

 

I have also been checking my console for any suspicious Wake Reasons, and keeping an eye on the latest docs in finder. Nothing has really shown up. I have Steam, and have noted that there are Steam Aliases listed in applications, which i have not added. This concerned me, but havent been able to locate anything that would indicate that they're a problem.

 

Sorry if this is vague. I just have a feeling that something's up, and can't quite put my finger on it. Not helpful i know, but there it is.

 

Thanks again!


Edited by BustedFlush, 13 November 2016 - 09:19 AM.


#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 13 November 2016 - 09:34 AM

Yes, MWB is an AV (anti-virus) application. If the scan came up with nothing, you're probably good. As I said, that Trojan is targeted at PCs.

Do you have the Steam client installed? If you suspect something is up, take the usual precautions -- change your password.



#5 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 13 November 2016 - 09:39 AM

I use steam when i play a game i have, so i guess so. Thanks for your help, much appreciated!



#6 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:09 PM

Posted 14 November 2016 - 01:20 PM

And keep in mind that more current version have pretty strong built-in protections.

First, MacOS X has always required an admin password to install programs. While there are likely some ways around that (not enough of an expert to know for sure), I suspect that they tend to require more work and many malware writers are lazy (part of the reason why there is more malware for Windows...more "bang for lower effort").

Then there is Gatekeeper. You will find its settings under Security & Privacy in the System Preferences. If you have it set to only allow apps downloaded from the "Mac App Store and identified developers", then that should dramatically reduce the chance of malware being downloading and installed.

This is why many Mac users don't run any anti-virus on their machines. Personally, I still run an anti-virus program on my machines. Consider it a hold over from back when I was using pre-Mac OS X Macs, which has significantly more malware out there for them.

#7 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 15 November 2016 - 02:50 PM

Thanks Smax much appreciated.

 

So do you think the email represents an attempt to set anything up? Does it show intent from someone? 



#8 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:09 PM

Posted 16 November 2016 - 05:23 PM

Thanks Smax much appreciated.
 
So do you think the email represents an attempt to set anything up? Does it show intent from someone?


I don't know. My point was that even if it was trying to install something, the macOS has some protections built-in.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users