Email virus

[qquake2k]

Apparently I have a virus that is sending bogus emails to my contacts. I don't use web based email like Yahoo or Gmail, I'm using Windows Mail (Windows Vista 64bit) with my Comcast email address. I did a full scan with Norton, which didn't find anything. I'm running a scan with Kaspersky right now. It's not complete yet, but it did find something called "trojan-spy.html.fraud.gen". Could that be the cause? Is there another anti-virus program out there that's better than Norton or Kaspersky? I was going to try AVG if Kaspersky didn't find anything. If Kaspersky and/or AVG don't fix it, what else can I try?

 

[troj]

All the various programs will find different things; running multiple is a good idea.

Consider adding Malware Bytes to the list of what you're running.

-Kevin

 

[luisv]

Typically it's not the anti-virus program, but the definition files. Is Norton updated with the latest definition / DAT file? Or are they old?

 

[jadebox]

The "trojan-spy.html.fraud.gen" thing is something malicious websites use to steal your user info.

It's possible that there is no virus on your computer, but the spammer is directly accessing your email account to harvest contact info and send emails. Therefore, if you haven't done it already, try changing the password on your email account.

-- Roger

 

[luisv]

Seems like an older exploit/ vulnerability... do you keep up on Microsoft patches and versions of IE?

https://www.securelist.com/en/descriptions/old66363

Seems like Vista is at end of life next April... which means no more patches from Microshaft:

https://windows.microsoft.com/en-us/windows/products/lifecycle

Details of the Trojan...

Trojan-Spy.HTML.Fraud.gen
Detected Dec 29 2004 10:37 GMT
Released Jul 23 2009 12:14 GMT
Published Dec 29 2004 10:37 GMT

Technical Details

This family of Trojans utilises spoofing technology. The Trojans themselves are contained in fake HTML pages. Messages, purportedly from banks, financial institutions, internet stores, software companies etc. are sent to users. These messages contain a link to the fake page; this link exploits the Frame Spoof vulnerability in Internet Explorer.

The Frame Spoof vulnerability is present in Internet Explorer v. 5.x and 6.x, and detailed in Microsoft Security Bulletin MS04-004. The bulletin also gives recommendations on how to recognise spoofed sites.

Once a user visits the fake site, and enters account details or personal information, these details will be sent to a malicious remote user, who will then have access to users' confidential information.

 

[qquake2k]

Typically it's not the anti-virus program, but the definition files. Is Norton updated with the latest definition / DAT file? Or are they old?

I have Norton set to update itself automatically. As far as I know, it's up to date.

 

[jsdemar]

It's common for someone else's email account to get hacked and use the email address in their contacts. The spammer makes it appear like the spam is coming from one of the other email addresses. You might not have been hacked at all.

 

[qquake2k]

Seems like an older exploit/ vulnerability... do you keep up on Microsoft patches and versions of IE?

https://www.securelist.com/en/descriptions/old66363

Seems like Vista is at end of life next April... which means no more patches from Microshaft:

https://windows.microsoft.com/en-us/windows/products/lifecycle

Details of the Trojan...

Trojan-Spy.HTML.Fraud.gen
Detected Dec 29 2004 10:37 GMT
Released Jul 23 2009 12:14 GMT
Published Dec 29 2004 10:37 GMT

Technical Details

This family of Trojans utilises spoofing technology. The Trojans themselves are contained in fake HTML pages. Messages, purportedly from banks, financial institutions, internet stores, software companies etc. are sent to users. These messages contain a link to the fake page; this link exploits the Frame Spoof vulnerability in Internet Explorer.

The Frame Spoof vulnerability is present in Internet Explorer v. 5.x and 6.x, and detailed in Microsoft Security Bulletin MS04-004. The bulletin also gives recommendations on how to recognise spoofed sites.

Once a user visits the fake site, and enters account details or personal information, these details will be sent to a malicious remote user, who will then have access to users' confidential information.

I read this description, but couldn't tell if it could cause the email problem or not. I'm running IE 8, but rarely use it. I find IE too bloated. I generally use Chrome or Firefox. I try to keep up on Windows updates, but sometimes get behind. After the Kasperspy scan finishes (it says several more hours), I'll try Malware Bytes then AVG. Is a mail program like Firefox more secure than Windows Mail?

 

[qquake2k]

It's common for someone else's email account to get hacked and use the email address in their contacts. The spammer makes it appear like the spam is coming from one of the other email addresses. You might not have been hacked at all.

Could someone have hacked my account even though I don't use web based email? That would mean they'd have to have gotten through Norton and my firewall. I know anything can be hacked, but is it likely in my case?

Also, I haven't changed the password on my email account yet, because I was afraid to open Windows Mail until I found and fixed the problem. Should I go ahead and change the password now?

 

[jadebox]

Also, I haven't changed the password on my email account yet, because I was afraid to open Windows Mail until I found and fixed the problem. Should I go ahead and change the password now?

Yes. But, you need to change the password through your ISP. Then change the password in your mail program to match the new password.

-- Roger

 

[luisv]

I have Norton set to update itself automatically. As far as I know, it's up to date.

Not necessarily... check the date as sometimes automatic updates can fail. Date should be recent... a few days... week at most. Anything older than that, you should run update manually.

 

[luisv]

Yes. But, you need to change the password through your ISP. Then change the password in your mail program to match the new password.

-- Roger

Correct... change the ISP email PW to something strong... the longer and more cryptic the better. Folks usually forget the obvious, don't set it to Password and use a sentence if it helps to remember it. For example:

1_l0v3_r0ck3t$ (I love rockets)
iH@t3W1nd0Wz (I hate Windows)
T@k3m3oUt$1d3 (Take me outside)

My PWs are usally 25 - 35 characters long. ; )

 

[Rex R]

for me norton's auto update only does the virus def.s I have to run live update manually to update the program itself.

 

[o1d_dude]

Not necessarily... check the date as sometimes automatic updates can fail. Date should be recent... a few days... week at most. Anything older than that, you should run update manually.

Norton seems to check for updates on an hourly basis so that shouldn't be the issue.

Jim, it's more likely someone has "discovered" your email address and is spamming with it from another location, ie an open server in China. Spam that fails to be delivered can bounce back to your email account with a failure notice. Check your email's "Sent" box and see what if anything has been sent out through your Comcast account.

Comcast is very good at tracking compromised email accounts on their own servers and usually knows about it before you do. It's a standard operating procedure to require you to change the outgoing mail port to prevent malware spam from getting out.

Vista? Double plus ungood.

 

[qquake2k]

Norton seems to check for updates on an hourly basis so that shouldn't be the issue.

Jim, it's more likely someone has "discovered" your email address and is spamming with it from another location, ie an open server in China. Spam that fails to be delivered can bounce back to your email account with a failure notice. Check your email's "Sent" box and see what if anything has been sent out through your Comcast account.

Comcast is very good at tracking compromised email accounts on their own servers and usually knows about it before you do. It's a standard operating procedure to require you to change the outgoing mail port to prevent malware spam from getting out.

Vista? Double plus ungood.

Well, I already changed the password through Comcast. What do you think about Thunderbird vs. Windows Mail? Is one more secure than the other?

"Douple plus ungood"?

 

[jsdemar]

Could someone have hacked my account even though I don't use web based email? That would mean they'd have to have gotten through Norton and my firewall. I know anything can be hacked, but is it likely in my case?

Also, I haven't changed the password on my email account yet, because I was afraid to open Windows Mail until I found and fixed the problem. Should I go ahead and change the password now?

The hacker doesn't need to get to your email account, just someone else's who has you in their contact list. The spammer then uses your email address as the spoofed source, making you and others think it came from you.

On the other hand, you could have been hacked by visiting a site that wasn't caught by your antivirus software. Outlook is known to be quite vulnerable. Web-based mail with good password encrytion and mail filtering seems better (I use gmail).

I used to have problems with Norton. Since using AVG for a few years, I haven't had as many problems. It does live updates to both the definition files and its software.

 

[qquake2k]

The hacker doesn't need to get to your email account, just someone else's who has you in their contact list. The spammer then uses your email address as the spoofed source, making you and others think it came from you.

On the other hand, you could have been hacked by visiting a site that wasn't caught by your antivirus software. Outlook is known to be quite vulnerable. Web-based mail with good password encrytion and mail filtering seems better (I use gmail).

I used to have problems with Norton. Since using AVG for a few years, I haven't had as many problems. It does live updates to both the definition files and its software.

Honestly, I've never liked Norton. The only reason I'm using it, is because it comes free with my Comcast account. But if it leaves me vulnerable, even free isn't worth it. The problem is, which anti-virus software to choose? I used to use McAfee when it was free from Comcast, but I got a virus one time with it too. I've always heard good things about AVG, and use AVG Pro at work. But I've been hearing good things about Kaspersky, too. Then there's Trend Micro, and probably dozens of others. Choosing one could be a daunting challenge.

 

[luisv]

At work we have deployed McAfee globally and as with all products it has it's good points and bad. It's extremely CPU intensive; however, it's usually one of the better products for detection / cleaning. As with any anti-virus / anti-malware utility the key is keeping it up to date and running periodic scans. At home I use the free Microsoft Security Essentials product as I only run Windows within a Virtual Machine... I'm 100% Apple (5 Macs) at home and for the last 2 years haven't had any issues.

Keep in mind that viruses typically enter into a system via user error... visiting a malicious website, clicking on a link within a malformed email (phishing), downloads from untrusted locations (trojans), or from pictures you try to hide from your significant other (porn).

As stated above, I run a Windows VM for gaming. If the VM is compromised, I revert it to a known good state and I'm back in business within a few mins.

On my Mac, I don't open emails from untrusted sources and if there is an attachment that I wasn't expecting, I simply delete the email.

 

[gdjsky01]

Sorry to hear it. Wondered why you were gone...

Best bet IMO, create a virus scan boot disk from another computer, hopefully one known to be free of problems, and boot that disk/CD and run your scans. Most virus software comes with instructions for doing that. If you just run scans booting off the the infected disk it could just keep coming back. Went through that with my wife's machine a few years ago. Only thing that cured it was to boot from a virus scan recovery disk. JMO, and it's worth what you paid for it.

 

[bcanino]

Apparently I have a virus that is sending bogus emails to my contacts.... snip ... what else can I try?

What makes you think it coming from your email? Someone else get a email with your return address? Just because it has your email as the reply to doesn't mean it came from your email. Have you seen one of these emails and look at the header information? If you listen to jsdemar, I would check that first.

 

[MarkII]

I have Norton set to update itself automatically. As far as I know, it's up to date.

You also have to keep your version of Windows and IE up to date with the latest maintenance releases and patches.

Beware of phishing attempts, including spear-phishing and hybrid spear-phishing.


Also, the emails may not actually be coming from your account, but are only being made to look like they are.

The free Microsoft Security Essentials for Windows Vista and Windows 7 is a very good anti-malware tool.

 

[qquake2k]

Well, I ran full scans with Norton, Kaspersky, AVG, and Malwarebytes. Kaspersky found "trojan-spy.html.fraud.gen", and quarantined it. Malwarebytes found "search.hijacker" and "rogue.antivirussuite.gen" and quarantined them. Those of you that suggested the emails weren't actually coming from my PC, I think you're right. I finally opened Windows Mail, and there weren't any emails I didn't send in the Sent folder. But I do think someone got a hold of my email address somehow. I have changed the password to a more secure one.

What's interesting to me is the "search.hijacker" that Malwarebytes found. When I got my new laptop a few months ago, I got a search engine hijacker virus somehow right after I started using it. Nothing would get rid of it, I finally had to revert it to its new state with the partition. But I found no evidence of a hijacker virus on my desktop PC. Whatever it was, though, I'm glad it's gone.

Thanks guys, for all your help and suggestions.

 

[Tronman]

Microsoft Security Essentials is much better than Norton and it's free. It doesn't slow down your computer like Norton does. Mailwasher Pro is a good front end to Outlook for viewing emails while they're still on the ISP's mail server. You can delete them there or load them into Outlook.

 

[bill2654]

I feel your pain Jim. I got hacked last year. My club president plus all my contacts, got some emails sent from my yahoo address, about erectile disfunction. Kind of embarrassing trying to figure out and explain that crap. After about 1 month of everyone in my contact list getting unwanted emails, it seamed to have quit. Go figure?.!

 

[qquake2k]

I feel your pain Jim. I got hacked last year. My club president plus all my contacts, got some emails sent from my yahoo address, about erectile disfunction. Kind of embarrassing trying to figure out and explain that crap. After about 1 month of everyone in my contact list getting unwanted emails, it seamed to have quit. Go figure?.!

Interesting. My son got an email that seemed to be from me, about Viagra pills. I hate hackers and spam, more than I hate paint!

 

[qquake2k]

Microsoft Security Essentials is much better than Norton and it's free. It doesn't slow down your computer like Norton does. Mailwasher Pro is a good front end to Outlook for viewing emails while they're still on the ISP's mail server. You can delete them there or load them into Outlook.

I have to be honest, I'm not a fan of anything Microsoft. I see them as a necessary evil (very evil), since they have such a monopoly. I haven't heard much about Microsoft Security Essentials one way or the other. And the latest Norton doesn't noticeably slow down my PC like earlier versions did. My biggest problem with Norton is that it didn't find the malware that other programs did.

 

[jadebox]

Those of you that suggested the emails weren't actually coming from my PC, I think you're right. I finally opened Windows Mail, and there weren't any emails I didn't send in the Sent folder. But I do think someone got a hold of my email address somehow. I have changed the password to a more secure one.

If your PC had been infected, you wouldn't have seen emails in the sent folder. The spam viruses run in the background and send the emails straight to your ISP's mail server or, more likely, straight to each recipient's mail server.

You've done the right things. You've ensured that your PC is not infected. And you've changed the password on the email account. So, you know that your computer and email account cannot be the source of the spam.

If the spam continues then it is because one of the spammers is just using your email address. It's as if someone in Russia mailed a letter to someone in the US and put your return address on the letter. There's little you can do in this case.

If you or someone you know gets one of the spam messages, you can look at the "source" of the message to see the information in the header. That may help you track down the source of the spam - most likely an infected computer.

But, chances are the spam emails with your address will stop soon when the spam program decides to use a different address, the infected computer (or its ISP) is blocked by spam blacklists, or the infected computer is fixed or turned off.

-- Roger

 

[RoyAtl]

Could someone have hacked my account even though I don't use web based email? That would mean they'd have to have gotten through Norton and my firewall. I know anything can be hacked, but is it likely in my case?

Also, I haven't changed the password on my email account yet, because I was afraid to open Windows Mail until I found and fixed the problem. Should I go ahead and change the password now?

What he is talking about is something called "phishing." This is the most common email threat these days, and it doesn't matter what operating system or email program/service you use (though some of the online services and anti-malware programs do a decent job at flagging phishing attempts).

The bad guys send you an official looking email purporting to come from a bank, a retailer, a govt. agency, etc., asking you to update information, or bringing a link to your attention. You'll end up at a form, where you enter information, thinking it is going to the bank/retailer/agency but in reality it is going to the phisher. They then use the information in whatever bad way they want.

These *can* be easy to spot (i.e. you don't have an account at that bank, never shop at that retailer, so why would they be emailing you?), and they often have misspelled words or broken English. Most email programs allow you to see where a link is going before you click it; you can mouse over that link to www.suntrust.com and find out it is really going to haxorman.happyfuntime.co.ru!

Some are just the online equivalent of "for a good time, call xxx.xxx.xxxx," inviting you to see the latest nekkid pics of a celebrity, or hilarious antics of a honey badger, or the outrageous thing some politician said. This happened a lot on Facebook over the past couple of years.

Some don't even do anything to get your private information, they just use your public information (i.e. your email address) to spoof others.


Just always be careful about where you click, and never fill out a form unless you know exactly where it is going. (and then there are the cross-site scripting attacks....)

 

[Rex R]

once got an email that said it was from a major lender, sent a copy to them asking is this from you?...never got either an answer or another 'phish' from that source.
rex

 

[o1d_dude]

If the spam continues then it is because one of the spammers is just using your email address. It's as if someone in Russia mailed a letter to someone in the US and put your return address on the letter. There's little you can do in this case.

This is called a "Joe Job".

Joe Job - Spoofed Email Return Address