ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
How to identify a piece of infected e-mail - and shred it.
faster


Joined: 03 Mar 2012
Posts: 13
Reply with quote
I don't know what to do. Clamwin just found this in my Thunderbird Inbox:
Phishing.Email.SpoofedDomain FOUND

There appears to be no way to scan a single piece of e-mail. I can select the Inbox folder and scan them all, but it doesn't tell me WHICH piece of e-mail is infected, and there are about 75 of them.

If I tell it to quarantine, I'll lose ALL the mail.

What I WANT to do is find the infected e-mail and then have Spybot's Secure Shredder eradicate it.

I tried moving all my mail to a new folder I created. The infection traveled with them. I had thought it might be attached to the Inbox itself, rather than a piece of mail. Now I know it IS on a piece of mail, but I don't know which one! The scanner only tells me the infection is in a folder, either Inbox or SavedInbox. But not WHICH piece.

Meanwhile, I've made Outlook Express my default, till I can get rid of this thing.

What should I do?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4191
Location: USA
Reply with quote
First of all, you should know that the Clam AV scan engine used by ClamWin gets a lot of false positive detections on that Spoofed Domain, so it might not really be malware.

If you have just noticed this "infection," then can you look at only those emails that have been received since the last scan just prior to when it was first detected and isolate those emails only? That might reduce the population you have to consider.

I am sure this has cropped up before on the ClamWin forums, but it has been a while. I suggest you do some searching for related topics here and see if you can find something that helps.

Regards,
View user's profileSend private message
faster


Joined: 03 Mar 2012
Posts: 13
Reply with quote
The idea is great, but I can't use it. I don't remember when I did my last scan, and the issue is complicated because I just recently had a very BAD malware that required me to reinstall Windows, and then Clamwin. When I did so, Clamwin wouldn't scan anything or download anything. The malware had stopped it dead. Other antivirus programs I tried to use, too. It was several weeks before I could use it again. By that time I had no idea which e-mails had come in before the problem did.

I can fix this, but only by putting each e-mail into a separate folder and then scanning the folder. That means 75 moved e-mails and 75 scans. Maybe more. I was just hoping there was another way to find this particular one, without spending a whole day moving and scanning.

Can you describe for me what a "Spoofed Domain" is? Or what "phishing" is? I know only a wee bit about that one.

I would like to suggest, though, that Clamwin incorporate a means by which individual e-mails may be scanned, in the right-click menu. After all, e-mail is one of the most common modes of entry for malware. If I got this one through e-mail, it must have been a goodie, because I am scrupulously careful about e-mail; I check it and cull it with Mailwasher before I allow it to be downloaded, and then I NEVER open unexpected attachments or any mail from unknown sources.

I don't feel safe in allowing it to stay. Only today, when I booted up, Windows installed something, and I hadn't installed anything yesterday. Then my disk scanner found two File Allocation Table locations inadequate or ineffective, plus one of the Windows Office update files was cross-linked and I opted to save the data elsewhere, which is odd, because I don't even have Office installed yet! So there's something lurking in my system.

While I'm at it, I'd urge Clamwin to put a scanner that works in pure DOS into its program. When I had AVG Free, its DOS scan was one of its most useful and important attributes.

How can a person know that he's getting a false positive? Would doing repeated scans tell me? And if the malware is real, how can I save the e-mail itself without also saving the garbage?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4191
Location: USA
Reply with quote
A spoofed domain occurs when an email says one domain but that is not the real domain--such as in some spam email.

Phishing occurs when someone "fishes" for personal information via the world wide web--information such as bank account numbers, credit card numbers, email passwords, etc. "Spear phishing" occurs when they phish specific people or high-level people, such as corporate CEOs, defense department managers, etc.

Adding a DOS scan would complicate ClamWin. The 2 ClamWin developers merely port ClamWin over to Windows from the Clam AV Linux source code whenever it changes. They try not to change the scan code, as their time/resources are limited. A scan in Windows Safe Mode (F8 repeatedly upon bootup) can sometimes find hidden, low-tech viruses.

To verify if something is a false positive (not really infected) detection, upload the file to the Jotti or Virus Total web sites where they will scan with multiple AV programs. If several AVs besides Clam AV see an infection, it is probably real. I like to see at least 2 of these AVs spot something: Avira AntiVir, Bitdefender, Nod32, Kaspersky, or Sophos. In case of a false positive, submit the file that is falsely detected to Clam AV so they can prepare a better signature or "whitelist" the file from scans in its database.

I will bet that the spoofed domain is a false positive. It sounds like a detection for the email itself and not an attachment. What about doing this: turn off ClamWin's email detection, copy the email to a "throwaway" file/folder, set ClamWin to Quarantine viruses, and scan the file/folder. If there is something quarantined after the scan, copy the "throwaway file/folder back to your email intact, and the "virus" file will be goine. Then check the quarantined file with Jotti/Virus Total. Will this work for you?

Regards,
View user's profileSend private message
Thanks! I'll try it.
faster


Joined: 03 Mar 2012
Posts: 13
Reply with quote
This WILL work for me, once I've cornered the precise e-mail.

It has to be from the e-mail, because I haven't had a single e-mail with an attachment in several years. Your suggestion is very helpful, and I'll do it. But first, tell me, CAN a quarantined file be put back intact, if it isn't really infected? I'm worried that my whole Inbox might be quarantined, and I know all but one of them are clean. This one sneaked past all my scrupulous cautions and protections.

Moreover, I'd far prefer to use Spybot's Secure Shredder for a genuinely infected file of any kind. I suppose I could use it on the file in quarantine?

I'm sad about the DOS scan. It's even better than Safe Mode. I have used Clamwin in Safe Mode.

I just got kicked with something that unloaded my mouse, and later my keyboard while I was online. But the Safe Mode scan didn't find it; just the one I mentioned before. My PC has many bad things that no AV scanner can detect; I've learned to live with them. Nor do I think this one e-mail has caused any of them, so you are very likely right. This is recent; the others aren't.

Is it possible that hack attempts don't leave any files behind? Kind of hit and run?

I have one question about hacking. How do its methods of accessing and infecting a PC differ from those of garden-variety malware? I suppose that's a question that would require reams to answer, but I'd like to know at least some, if possible. So I can know where to look to find my system's loopholes and close them, also if possible. What you describe as "Spear phishing" is likely behind some of my hacks. They couldn't possibly have been made at the public at large, being rather user-specific. One attacker even tried opening "Email+Passwords.doc" on my desktop, even when I wasn't online. The attempt failed, but its malicious intent was rather clear to me. They won't succeed a second time, since I put its contents into another file with a boring name, and replaced it with a "love note" using language I never ordinarily use.

Most malware is intended to defraud in some fashion. Although I get both kinds, my unfindable malware is bent on attacking just me. Its intent is to gag me and cause harm. But if possible, it'd steal, too, I imagine. I don't keep personal info on my PC; they can search till they're blue. My info is ALL on paper. I NEVER pay online for anything, don't use any social media - because there are people like that, nothing in my PC is safe.

You have been MOST helpful, and highly informative, and I thank you muchly for it!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4191
Location: USA
Reply with quote
Safe mode will sometimes find the "cheap" viruses--the ones written by people that are not real good.

The ClamWin QRecover utility will restore files quarantined by ClamWin quarantine. It was written after a wide-spread false positive (not real) detection quarantined a bunch of files on networks employing ClamWin. You can access QRecover with Start, All Programs, ClamWin, Quarantine Browser. You can also go to the ClamWin program folder, Bin subfolder and click on Qrecover.exe, which is the Quarantine Browser. It is pretty simple to use.

You can remove a file from the ClamWin Quarantine folder any way you want--delete it manually or delete/shred it with any other program.

I think that a successful hacking attempt will usually leave something behind--unless it was conducted by CIA-level hackers.

Malware and hacking are used to mean the same thing mostly. Technically, I suppose malware is more automated, while hacking involves more manual work. Hackers can employ malware.

The majority of Windows viruses will be found in c:\users\ (Documents and Settings on XP and older machines), c:\Windows\System32, and in memory (if one is active). Once in a while you will see one in the programs folder or in its own C:\ folder (not under the programs folder), or on the desktop.

Let me suggest three free security software programs to you: (1) Kaspersky TDSSKiller can detect the most common/high-tech hidden rootkits. It is updated automatically via a zip file when you run it. Go to
http://support.kaspersky.com/faq/?qid=208283363 to download it. (2) You can get a free rescue CD from one of the large AV companies that boots up with the Linux OS and has a Linux version of their AV that will run on any computer. I like the ones from F-Secure and Kaspersky. (3) The free version of Malwarebytes is pretty good at finding a lot of malware. I have seen it find/remove over 200 infections from a computer several times. You can get it from the Malwarebytes web site or one of the popular download sites. There is a one-time use only version around somewhere--don't get it--get the free version that you can use all the time and keep it around. It is an on-demand scanner only, so it scans only when you tell it to and is therefore light on system resources.

Regards,
View user's profileSend private message
Great suggestions!
faster


Joined: 03 Mar 2012
Posts: 13
Reply with quote
Kowabunga! Then I won't worry about quarantining something I can't get back. Mondo-cool.

I should HOPE I'm not being hacked by the CIA! I'm just a little old, disabled retired lady living in Mexico on SS. I can't even threaten the bugs that invade my house.

Sure, hackers can employ malware, and probably often do. But they target their victims. Which is much worse, even if less widely destructive, because the targeting is more often vicious than merely greedy.

There are things, like modules, that remain active after I go offline. They disrupt other PC activities in odd ways. No big deal, but I do notice them. When I reboot, they're gone. But no program that tells me what modules are active helps me identify anything. Could be they use legitimate modules or browser components and hide in them.

But I'm a realist. I don't expect any AV program to find everything. None ever has, nor will. They just do their best, and I can't ask for more. I DO appreciate the ones that are free to all, though. That's fantastic.

Hackers use VERY ingenious and sophisticated, often custom-designed methods to gain access where malware would fail. They are also highly motivated to do the harm they do. Malware just gets thrown out there hoping it'll stick to something. Like sh*t to a blanket. It isn't malware that is coming from the overseas hackers in unfriendly countries like China. Their intent is espionage.

Are these programs you suggest compatible with Ubuntu? I'm planning to use it soon.

I wish I could show you my one-of-a-kind handmade classic guitar. I can't use it any more, but professionals used to BEG me to let them borrow it! Which I did. I play guitar and piano. I wish you many long years of blissful strummin'.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4191
Location: USA
Reply with quote
The programs I mentioned are all for the Windows operating system. The rescue CDs use a self-contained version of Linux, but about all you can do with them is scan with their AV. They are quite good. A Windows virus can't hide from an AV that runs under an operating system that isn't on the hard drive, providing the AV has a signature for it. You should run the AV from a wired (not wireless) system so it can update properly before using it. I like the F-Secure rescue CD, which is available at
http://www.f-secure.com/en/web/labs_global/removal/rescue-cd on the web.

If the virus keeps coming back, I suspect you have a Master Boot Record (MBR) virus. The Linux AVs can only identify, but not remove, them. The Kaspersky TDSSKiller can remove the most dangerous/common ones.

Thanks for the good strumming wishes--and the same to you. I have 55 songs copyrighted with the Library of Congress, and they were are done with my trusty Hohner dreadnaught!

Regards,
View user's profileSend private message
faster


Joined: 03 Mar 2012
Posts: 13
Reply with quote
You really DO love guitar music! Fabulous. My real instrument is piano. Guitar is more for a brief diversion, because I have dinky hands and can't hold a finger across a bunch of strings. So I can only do so much with it. I want to sell my gorgeous classic guitar.

It's going to take me a while to start checking out all the stuff you've suggested. I don't move real fast these days, except on the keyboard, where I can type as fast as I think. Sad that it doesn't make music, tho! You've been so helpful it's going to take a lot of time to go through and try them all.

But I will be back. Mainly because I keep getting hit by one son-of-two-strangers or another.

So I'm going to sign off here temporarily for a while. Again with boundless thanks!

Holly in Mexico
View user's profileSend private message
How to identify a piece of infected e-mail - and shred it.
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic