Avast Infected E-Mail

[redman]

I did have Avast set to repair and if failed, delete infected emails (I have since set it to delete only). The message shown in the screenshot has been trapped by my anti-spam filter. Is this the repaired remnants of an infected fake Microsoft message or is it still infected (just curious, I have no intention of allowing it through to my e-mail client)?

[bob3160]

redman
How can avast! repair this e-mail? Does it contain any malicious code?

[redman]

redman
How can avast! repair this e-mail? Does it contain any malicious code?

I've no idea, that's why I'm asking the question as to what this e-mail actually is. I had a warning when it was received and the Avast log says this (see screenshot):-

[bob3160]

redman
your file is blank?

[Lisandro]

Microsoft does not alert users of updates by email... They are mostly viruses or worms...
Well, I think I've read this in the avast forums a long time ago...

[redman]

Microsoft does not alert users of updates by email... They are mostly viruses or worms...
Well, I think I've read this in the avast forums a long time ago...

So, to get back to my original question - is the e-mail that is held by my anti-spam tool still infected or has Avast rendered it safe?

[watchthisspace]

Microsoft does not alert users of updates by email... They are mostly viruses or worms...
Well, I think I've read this in the avast forums a long time ago...

Yes they do, They don't send the users the update as well, In my opinion you should just delete this email, Im sure someone who has alot more knowledge than me will help you 

[redman]

redman
your file is blank?

Which file?

[bob3160]

redman
http://forum.avast.com/index.php?action=dlattach;topic=10412.0;id=2506

[Lisandro]

Is the e-mail that is held by my anti-spam tool still infected or has Avast rendered it safe?

If you choose 'OK' on virus alert, avast should just the email be downloaded... but the code was not run (i.e., the infected file is not executed). If you choose another action, like repair, delete, send to chest... the proper action will be executed.

About Microsoft emails, sorry, I'm seeing that my assumption was wrong...

[redman]

redman
http://forum.avast.com/index.php?action=dlattach;topic=10412.0;id=2506

Strange, I can see it on my screen.

[DavidR]

Microsoft does not alert users of updates by email... They are mostly viruses or worms...
Well, I think I've read this in the avast forums a long time ago...

Yes they do, They don't send the users the update as well, In my opinion you should just delete this email, Im sure someone who has alot more knowledge than me will help you 

MS don't send unsolicited email warning of viruses/updates, only if you have signed up to their email update notifications. So if you havent signed up be suspicious, be very suspicious.

[_Marco_]

Microsoft does not alert users of updates by email... They are mostly viruses or worms...
Well, I think I've read this in the avast forums a long time ago...

Yes they do, They don't send the users the update as well, In my opinion you should just delete this email, Im sure someone who has alot more knowledge than me will help you 

MS don't send unsolicited email warning of viruses/updates, only if you have signed up to their email update notifications. So if you havent signed up be suspicious, be very suspicious.
[/quote ]

I am agree, this email is very suspicious. For me is one Virus or Worm. Expecially if in this email is present an attach.

[redman]

I think from what I can tell, that Avast has deleted the attachment (if you look at the first screenshot in this thread you will see that the attachment field is blank) and allowed the main part of the e-mail since (presumably) it doesn't contain any viral code. In any case, from the grammar in the text alone, it is clear that it is not a legitimate e-mail. Here is the e-mail header (taken from the message stored in the junk box of my anti-spam program):-

Attachment: \upgrade382.exe   Virus: Win32:Swen [Wrm]   Deleted
Content-Type: multipart/mixed;
 boundary="ZZEE+_=_41ec1331F4C1B5A0564A0F4CC2EBBF7B6731DA2E0"
Date: Mon, 17 Jan 2005 11:53:53 +0100 (CET)
Delivered-To: va_plusn-valencia-newsgroups@valencia.plus.com
From: "Microsoft Corporation Security Bulletin" <zcrznexhq@confidence.microsoft.com>
Message-Id: <20050117105353.6561C1C00239@mwinf0606.wanadoo.fr>
Mime-Version: 1.0
Received: (qmail 31448 invoked from network); 17 Jan 2005 10:54:54 -0000
Received: from unknown (HELO ptb-mxcore02.plus.net) (212.159.14.216)
  by ptb-mailstore04.plus.net with SMTP; 17 Jan 2005 10:54:54 -0000
Received: from smtp6.wanadoo.fr ([193.252.22.25])
    by ptb-mxcore02.plus.net with esmtp (Exim) id 1CqUX8-000HJ8-6U
   for newsgroups@valencia.plus.com; Mon, 17 Jan 2005 10:54:54 +0000
Received: from me-wanadoo.net (localhost [127.0.0.1])
   by mwinf0606.wanadoo.fr (SMTP Server) with ESMTP id A39261C002AE;
   Mon, 17 Jan 2005 11:54:53 +0100 (CET)
Received: from bzrllmhy (Mix-Lyon-302-3-153.w193-248.abo.wanadoo.fr [193.248.230.153])
   by mwinf0606.wanadoo.fr (SMTP Server) with SMTP id 6561C1C00239;
   Mon, 17 Jan 2005 11:53:53 +0100 (CET)
Return-Path: <mairie.chamboeuf42@wanadoo.fr>
Subject: [avast! - INFECTED]   Latest Internet Patch
To: "Commercial Consumer" <consumer-ogtdui@confidence.microsoft.com>
X-Antivirus: avast! (VPS 0502-4, 16/01/2005), Inbound message
X-Antivirus-Status: Infected
X-Me-Uuid: 20050117105354415.6561C1C00239@mwinf0606.wanadoo.fr
X-Open-Relay: 193.252.22.25 is in a black list at bl.spamcop.net
X-Zzee-Translated: 1st Email Anti-Virus 4.0
X-ChoiceMail-OriginalAccount: email@valencia.plus.com

[redman]

Another query related to this: If I had had Avast set to delete in the Virus options for the e-mail scanner, would that have deleted the whole message in this case or just the attachment as has happened here? (it was set to repair if fail delete when this message was received).