• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Help identifying virus

H

HeyBub

Flightless Bird
I get an email. Almost instantly another email "arrives" with the same
subject but containing the following text:

--- begin quote
Hello

How are you doing recently?

I would like to introduce you a very good company which i knew. Their

website is www.ebakm.com They can offer

you all kinds of electronical products which you need,like Laptops ,GPS ,TV
LCD,Cell Phones,PS3,MP3/4,Watch etc........

Please take some time to have a check ,there must be something you 'd like
to purchase .

Hope you have a good mood in shopping from their company !

Best Regards!!!

--- end quote



I suspect it's a virus existing locally because the headers make no sense
and SpamCop agrees that the header is incomplete/missing.



Resident Avast has never complained and online scanning by both McCaffee and
another found nothing.



It's a mystery.



Thanks for your help.
 
D

David H. Lipman

Flightless Bird
From: "HeyBub" <heybub@gmail.com>

| I get an email. Almost instantly another email "arrives" with the same
| subject but containing the following text:

| --- begin quote
| Hello

| How are you doing recently?

| I would like to introduce you a very good company which i knew. Their

| website is www.ebakm.com They can offer

| you all kinds of electronical products which you need,like Laptops ,GPS ,TV
| LCD,Cell Phones,PS3,MP3/4,Watch etc........

| Please take some time to have a check ,there must be something you 'd like
| to purchase .

| Hope you have a good mood in shopping from their company !

| Best Regards!!!

| --- end quote



| I suspect it's a virus existing locally because the headers make no sense
| and SpamCop agrees that the header is incomplete/missing.
| Resident Avast has never complained and online scanning by both McCaffee and
| another found nothing.

| It's a mystery.
| Thanks for your help.


It's spam.

Either post the headers (obfuscating personal information) or just delete it and forget
about it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
H

HeyBub

Flightless Bird
David H. Lipman wrote:
> From: "HeyBub" <heybub@gmail.com>
>
>> I get an email. Almost instantly another email "arrives" with the
>> same subject but containing the following text:

>
>> --- begin quote
>> Hello

>
>> How are you doing recently?

>
>> I would like to introduce you a very good company which i knew. Their

>
>> website is www.ebakm.com They can offer

>
>> you all kinds of electronical products which you need,like Laptops
>> ,GPS ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........

>
>> Please take some time to have a check ,there must be something you
>> 'd like to purchase .

>
>> Hope you have a good mood in shopping from their company !

>
>> Best Regards!!!

>
>> --- end quote

>
>
>
>> I suspect it's a virus existing locally because the headers make no
>> sense and SpamCop agrees that the header is incomplete/missing.
>> Resident Avast has never complained and online scanning by both
>> McCaffee and another found nothing.

>
>> It's a mystery.
>> Thanks for your help.

>
>
> It's spam.
>
> Either post the headers (obfuscating personal information) or just
> delete it and forget about it.


Of course it's spam, but not really inasmuch as it wasn't sent as an email.
To restate the circumstances of its appearence:

I get an email from a known source, then, almost instantly, another email
"arrives" with exactly the same subject line as the righteous email but
containing the aformentioned text as the body.

The headers (probably) won't help. Here is a complete header, for what it's
worth:

--- begin "header"
Date: Mon, 8 Feb 2010 07:46:57 -0800
From: "(xxxxxx)" <(my name)>
To: campaign@proflowers.com
Message-ID: <63c388041002080746l16d91228v@mail.gmail.com>
Subject: Hello Re: Thank you for your ProFlowers order: xxxxxxxx
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Precedence: bulk
X-Autoreply: yes
--- end header

I get one of these on about half the legit emails. So far I haven't
established a pattern.
 
P

PA Bear [MS MVP]

Flightless Bird
Create a Message Rule that will automatically move such messages to Deleted
Items folder and mark it as Read. Then delete the message(s) without opening
them (of course).

Message Rules Tips
http://www.insideoe.com/tips/rules.htm

Why doesn't my rule work?
http://www.insideoe.com/faqs/why.htm#rules

HeyBub wrote:
> I get an email. Almost instantly another email "arrives" with the same
> subject but containing the following text:
>
> --- begin quote
> Hello
>
> How are you doing recently?
>
> I would like to introduce you a very good company which i knew. Their
>
> website is www.ebakm.com They can offer
>
> you all kinds of electronical products which you need,like Laptops ,GPS
> ,TV
> LCD,Cell Phones,PS3,MP3/4,Watch etc........
>
> Please take some time to have a check ,there must be something you 'd like
> to purchase .
>
> Hope you have a good mood in shopping from their company !
>
> Best Regards!!!
>
> --- end quote
>
>
>
> I suspect it's a virus existing locally because the headers make no sense
> and SpamCop agrees that the header is incomplete/missing.
>
>
>
> Resident Avast has never complained and online scanning by both McCaffee
> and
> another found nothing.
>
>
>
> It's a mystery.
>
>
>
> Thanks for your help.
 
H

HeyBub

Flightless Bird
PA Bear [MS MVP] wrote:
> Create a Message Rule that will automatically move such messages to
> Deleted Items folder and mark it as Read. Then delete the message(s)
> without opening them (of course).
>
> Message Rules Tips
> http://www.insideoe.com/tips/rules.htm
>
> Why doesn't my rule work?
> http://www.insideoe.com/faqs/why.htm#rules
>


Thanks for the advice. I can already get rid of them. My question is not
what to do with these oddball messages when they "arrive," but what causes
them in the first place.
 
2

20100209

Flightless Bird
It is definitely a spam as David Lippy has authoritatively stated. I
shall add that these spammers always send out probes to see if the
account exists. The messages are generally blank or with nothing in it.

The best thing is to open it (no as pig-bear says not to open it) with a
view to finding out their tricks, which changes almost daily. What you
mustn't do, however, is to reply to them or even to complain to their
ISP because some ISPs are so stupid that they send the entire message of
complaints (including your headers and email address) to the spammer and
this ensures they know you exist and you get more spams.

hth




HeyBub wrote:
>
> I get an email. Almost instantly another email "arrives" with the same
> subject but containing the following text:
>
> --- begin quote
> Hello
>
> How are you doing recently?
>
> I would like to introduce you a very good company which i knew. Their
>
> website is www.ebakm.com They can offer
>
> you all kinds of electronical products which you need,like Laptops ,GPS ,TV
> LCD,Cell Phones,PS3,MP3/4,Watch etc........
>
> Please take some time to have a check ,there must be something you 'd like
> to purchase .
>
> Hope you have a good mood in shopping from their company !
>
> Best Regards!!!
>
> --- end quote
>
> I suspect it's a virus existing locally because the headers make no sense
> and SpamCop agrees that the header is incomplete/missing.
>
> Resident Avast has never complained and online scanning by both McCaffee and
> another found nothing.
>
> It's a mystery.
>
> Thanks for your help.
 
S

Shenan Stanley

Flightless Bird
HeyBub wrote:
> I get an email. Almost instantly another email "arrives" with the
> same subject but containing the following text:
>
> --- begin quote
> Hello
>
> How are you doing recently?
>
> I would like to introduce you a very good company which i knew.
> Their website is www.ebakm.com They can offer
> you all kinds of electronical products which you need,like Laptops
> ,GPS ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........
>
> Please take some time to have a check ,there must be something
> you'd like to purchase .
>
> Hope you have a good mood in shopping from their company !
> Best Regards!!!
> --- end quote
>
> I suspect it's a virus existing locally because the headers make no
> sense and SpamCop agrees that the header is incomplete/missing.
>
> Resident Avast has never complained and online scanning by both
> McCaffee and another found nothing.
>
> It's a mystery.
>
> Thanks for your help.


<brought in from another part of the conversation>
HeyBub wrote:
> I get an email from a known source, then, almost instantly, another
> email "arrives" with exactly the same subject line as the righteous
> email but containing the aformentioned text as the body.
>
> The headers (probably) won't help. Here is a complete header, for
> what it's worth:
>
> --- begin "header"
> Date: Mon, 8 Feb 2010 07:46:57 -0800
> From: "(xxxxxx)" <(my name)>
> To: campaign@proflowers.com
> Message-ID: <63c388041002080746l16d91228v@mail.gmail.com>
> Subject: Hello Re: Thank you for your ProFlowers order: xxxxxxxx
> MIME-Version: 1.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> Precedence: bulk
> X-Autoreply: yes
> --- end header
>
> I get one of these on about half the legit emails. So far I haven't
> established a pattern.

</brought in from another part of the conversation>

PA Bear [MS MVP] wrote:
> Create a Message Rule that will automatically move such messages to
> Deleted Items folder and mark it as Read. Then delete the
> message(s) without opening them (of course).
>
> Message Rules Tips
> http://www.insideoe.com/tips/rules.htm
>
> Why doesn't my rule work?
> http://www.insideoe.com/faqs/why.htm#rules


HeyBub wrote:
> Thanks for the advice. I can already get rid of them. My question
> is not what to do with these oddball messages when they "arrive,"
> but what causes them in the first place.


You have an Internet email address and actively receive email. Welcome to
the wonderful world of email.

What I would do is compare the valid full email header with the obvious spam
message that follows header and see where their pathing differs.

It is entirely plausible your system has a trojan/virus, your email provider
has one, the people sending the email have one or someone is doing an
excellent job sniffing a network somewhere down the line and putting in
words/phrases they can reproduce with a bot and emailing you.

Then again - you might be seeing something (a pattern) where none exists.
That's human nature.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
2

20100208

Flightless Bird
Shenan Stanley wrote:

>It is entirely plausible your system has a trojan/virus,
>


Hey Antipodean,

How did you work this out? A trojan can perform the following operations:

* Use of the machine as part of a botnet </wiki/Botnet> (i.e. to
perform spamming </wiki/Spam_%28electronic%29> or to perform
Distributed Denial-of-service </wiki/Denial-of-service> (DDoS)
attacks)
* Data theft </wiki/Data_theft> (e.g. passwords, credit card
information, etc.)
* Installation of software (including other malware)
* Downloading or uploading </wiki/Uploading_and_downloading> of files
* Modification or deletion of files </wiki/File_deletion>
* Keystroke logging </wiki/Keystroke_logging>
* Viewing the user's screen </wiki/Screen_scrape>
* Wasting computer storage space

Now HeyBoob has received completely innocent message offering:

"you all kinds of electronical products which you need, like Laptops
,GPS ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........"

There is no evidence that Heyboob's machine was used as part of botnet for spamming purpose nor any theft has taken place nor any software has been installed or performed any of the operations mentioned above.

It is completely ridiculous to suggest this without any evidence.

hth
 
A

Alex Clark

Flightless Bird
HeyBub,

Apparently everyone else replying to you is either too lazy to read your
message, or simply doesn't understand what you're saying, so maybe I can
offer a few pointers.

Have you actually tried installing antivirus (MBAM, AVG) and running a full
scan of your system? What email client are you using? If it's Outlook (not
Express) have you tried checking to see what plugins you have loaded? It
sounds as though it may be some kind of malware that's installed itself as a
plugin and is thus duplicating the incoming emails.

If you are using Outlook, you could try using Outlook Express to receive
emails to see if the same behaviour is duplicated there. When configuring
your account options, tell it to leave a copy of the messages on the server
so that you don't end up with half your emails in one app and the other half
in the other.

If the same thing happens in OE, then the malware is either operating at an
OS level or possibly (but highly unlikely) some sort of hack has occurred on
your ISP.

Hope that helps,
Alex Clark






"HeyBub" <heybub@gmail.com> wrote in message
news:eeqjH%23QqKHA.1948@TK2MSFTNGP05.phx.gbl...
>I get an email. Almost instantly another email "arrives" with the same
>subject but containing the following text:
>
> --- begin quote
> Hello
>
> How are you doing recently?
>
> I would like to introduce you a very good company which i knew. Their
>
> website is www.ebakm.com They can offer
>
> you all kinds of electronical products which you need,like Laptops ,GPS
> ,TV LCD,Cell Phones,PS3,MP3/4,Watch etc........
>
> Please take some time to have a check ,there must be something you 'd like
> to purchase .
>
> Hope you have a good mood in shopping from their company !
>
> Best Regards!!!
>
> --- end quote
>
>
>
> I suspect it's a virus existing locally because the headers make no sense
> and SpamCop agrees that the header is incomplete/missing.
>
>
>
> Resident Avast has never complained and online scanning by both McCaffee
> and another found nothing.
>
>
>
> It's a mystery.
>
>
>
> Thanks for your help.
>
>
 
P

PA Bear [MS MVP]

Flightless Bird
Why do I keep getting adverts in my mailbox every week for stores &
businesses I've never heard of, that are hundreds of miles away from my home
and that I wouldn't patronize anyway?

Junk mail, be it snail mail or email, goes straight to the circular file,
unopened & unread.


HeyBub wrote:
> PA Bear [MS MVP] wrote:
>> Create a Message Rule that will automatically move such messages to
>> Deleted Items folder and mark it as Read. Then delete the message(s)
>> without opening them (of course).
>>
>> Message Rules Tips
>> http://www.insideoe.com/tips/rules.htm
>>
>> Why doesn't my rule work?
>> http://www.insideoe.com/faqs/why.htm#rules
>>

>
> Thanks for the advice. I can already get rid of them. My question is not
> what to do with these oddball messages when they "arrive," but what causes
> them in the first place.
 
D

dadiOH

Flightless Bird
PA Bear [MS MVP] wrote:
> Why do I keep getting adverts in my mailbox every week for stores &
> businesses I've never heard of, that are hundreds of miles away from
> my home and that I wouldn't patronize anyway?


You're missing his point...

1. He gets an email from a known source

2. He then gets SPAM with the *same subject* as the first - the one from the
known source.

--

dadiOH
____________________________

dadiOH's dandies v3.06...
....a help file of info about MP3s, recording from
LP/cassette and tips & tricks on this and that.
Get it at http://mysite.verizon.net/xico
 
D

dadiOH

Flightless Bird
HeyBub wrote:
> I get an email. Almost instantly another email "arrives" with the same
> subject but containing the following text:
>
> --- begin quote
> Hello
>
> How are you doing recently?


<snip>

Is there a pattern vis a vis the first email and the second? For example,
the SPAM always follows legit mail from a specific person or IP...

--

dadiOH
____________________________

dadiOH's dandies v3.06...
....a help file of info about MP3s, recording from
LP/cassette and tips & tricks on this and that.
Get it at http://mysite.verizon.net/xico
 
H

HeyBub

Flightless Bird
Alex Clark wrote:
> HeyBub,
>
> Apparently everyone else replying to you is either too lazy to read
> your message, or simply doesn't understand what you're saying, so
> maybe I can offer a few pointers.
>
> Have you actually tried installing antivirus (MBAM, AVG) and running
> a full scan of your system? What email client are you using? If
> it's Outlook (not Express) have you tried checking to see what
> plugins you have loaded? It sounds as though it may be some kind of
> malware that's installed itself as a plugin and is thus duplicating
> the incoming emails.
> If you are using Outlook, you could try using Outlook Express to
> receive emails to see if the same behaviour is duplicated there. When
> configuring your account options, tell it to leave a copy of the
> messages on the server so that you don't end up with half your emails
> in one app and the other half in the other.
>
> If the same thing happens in OE, then the malware is either operating
> at an OS level or possibly (but highly unlikely) some sort of hack
> has occurred on your ISP.
>
> Hope that helps,
> Alex Clark
>
>


Thanks. The system has been scanned by three different AV tools.

I'm using Outlook (not express). I've checked the add-ins and see nothing
remotely suspicious.

I'll try the Outlook Express trick. Thanks.
 
H

HeyBub

Flightless Bird
dadiOH wrote:
> HeyBub wrote:
>> I get an email. Almost instantly another email "arrives" with the
>> same subject but containing the following text:
>>
>> --- begin quote
>> Hello
>>
>> How are you doing recently?

>
> <snip>
>
> Is there a pattern vis a vis the first email and the second? For
> example, the SPAM always follows legit mail from a specific person or
> IP...


No. The message always follows a legit email, but the original sender seems
to be irrelevant. I'm reluctant to call it "spam" because I'm pretty sure it
was not actually SENT by a spammer. I think it's being generated internally
to my computer and stuffed in my in-box.
 
P

PA Bear [MS MVP]

Flightless Bird
It's not from a known source, it's from what looks to be a known source.
This is called spoofing.

dadiOH wrote:
> PA Bear [MS MVP] wrote:
>> Why do I keep getting adverts in my mailbox every week for stores &
>> businesses I've never heard of, that are hundreds of miles away from
>> my home and that I wouldn't patronize anyway?

>
> You're missing his point...
>
> 1. He gets an email from a known source
>
> 2. He then gets SPAM with the *same subject* as the first - the one from
> the
> known source.
 
D

dadiOH

Flightless Bird
PA Bear [MS MVP] wrote:
> It's not from a known source, it's from what looks to be a known
> source. This is called spoofing.


OP says...
"I get an email from a known source, then, almost instantly, another email
"arrives" with exactly the same subject line as the righteous email but
containing the aformentioned text as the body."

I took him at his word :)

dadiOH
____________

> dadiOH wrote:
>> PA Bear [MS MVP] wrote:
>>> Why do I keep getting adverts in my mailbox every week for stores &
>>> businesses I've never heard of, that are hundreds of miles away from
>>> my home and that I wouldn't patronize anyway?

>>
>> You're missing his point...
>>
>> 1. He gets an email from a known source
>>
>> 2. He then gets SPAM with the *same subject* as the first - the one
>> from the
>> known source.
 
L

Lem

Flightless Bird
HeyBub wrote:
> dadiOH wrote:
>> HeyBub wrote:
>>> I get an email. Almost instantly another email "arrives" with the
>>> same subject but containing the following text:
>>>
>>> --- begin quote
>>> Hello
>>>
>>> How are you doing recently?

>> <snip>
>>
>> Is there a pattern vis a vis the first email and the second? For
>> example, the SPAM always follows legit mail from a specific person or
>> IP...

>
> No. The message always follows a legit email, but the original sender seems
> to be irrelevant. I'm reluctant to call it "spam" because I'm pretty sure it
> was not actually SENT by a spammer. I think it's being generated internally
> to my computer and stuffed in my in-box.
>
>


It might be a bit tedious, but to confirm whether these spurious
messages are being generated locally or not, check the headers in your
inbox on your ISP's server without actually downloading anything. That
way you can see if messages with duplicate subjects are in fact arriving
at your ISP.

Some ISPs have a web interface to their POP3 mail. Or you might be able
to telnet into your inbox. Or use one of the various email removers that
work in a similar fashion (e.g., http://www.email-remover.com/index.htm)

--
Lem

Apollo 11 - 40 years ago:
http://www.nasa.gov/mission_pages/apollo/40th/index.html
 
2

20100209

Flightless Bird
HeyBub wrote:
>
> No. The message always follows a legit email, but the original sender seems
> to be irrelevant. I'm reluctant to call it "spam" because I'm pretty sure it
> was not actually SENT by a spammer. I think it's being generated internally
> to my computer and stuffed in my in-box.


Well in that case you can do only one thing and that will solve the
riddle once and for all.

1) Clone your HD and store it somewhere safe on an external drive;
2) Re-install the OS from scratch after formatting the HD;
3) Run your mail to see if the symptoms still persists;
4) If everything is OK then it is time to put back your cloned HD, and
this time copy only your main documents before wiping everything again.

The reason for doing this is to save time because if the problem is in
the mail server or at ISP then clearly there is no point in wiping
anything from the HD. However, if the problem is in the drive itself
then it is time to start all over again.

I believe, I am the only one to claim that Anti-virus, Anti-Malware
programs are NOT full proof to all evils on this land nor are they a
silver bullet solution to all computer problems.

hth
 
S

Shenan Stanley

Flightless Bird
20100209 wrote:
> I believe, I am the only one to claim that Anti-virus, Anti-Malware
> programs are NOT full proof to all evils on this land nor are they a
> silver bullet solution to all computer problems.


Only because no one ever made the claim that you didn't make that I have
seen anyway. ;-)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
P

PA Bear [MS MVP]

Flightless Bird
Look at all the idiots in this newsgroup who post spoofing others. Do you
take their posts to be the real thing?

dadiOH wrote:
> PA Bear [MS MVP] wrote:
>> It's not from a known source, it's from what looks to be a known
>> source. This is called spoofing.

>
> OP says...
> "I get an email from a known source, then, almost instantly, another email
> "arrives" with exactly the same subject line as the righteous email but
> containing the aformentioned text as the body."
>
> I took him at his word :)
>
> dadiOH
> ____________
>
>> dadiOH wrote:
>>> PA Bear [MS MVP] wrote:
>>>> Why do I keep getting adverts in my mailbox every week for stores &
>>>> businesses I've never heard of, that are hundreds of miles away from
>>>> my home and that I wouldn't patronize anyway?
>>>
>>> You're missing his point...
>>>
>>> 1. He gets an email from a known source
>>>
>>> 2. He then gets SPAM with the *same subject* as the first - the one
>>> from the
>>> known source.
 
Top