Author Topic: Thank you Avast! mail scanner + a question  (Read 2874 times)

0 Members and 1 Guest are viewing this topic.

cooby

  • Guest
Thank you Avast! mail scanner + a question
« on: February 18, 2014, 11:44:29 PM »
I use yahoo mail. I use Seamonkey to gather yahoo mail using IMAP and SSL, so the alert/notification is totally correct. The infected message was most likely already in Junk mail folder over at yahoo.
See the slideup, and these quotes from the logs:
From Avast Mail.log
Quote
2/18/2014   4:56:10 PM   00000350:   --IMAP Mail is clean
2/18/2014   4:56:10 PM   00000350:   --IMAP Mail is clean
2/18/2014   4:56:20 PM   000005F0:   --IMAP Mail is clean
2/18/2014   4:56:20 PM   000005F0:   --IMAP Mail is clean
2/18/2014   4:56:20 PM   000005F0:   --IMAP Mail is clean
2/18/2014   4:56:40 PM   000005F0:   --IMAP Mail is infected
From Rpt-Mail.log where I save things
Quote
2/18/2014 4:56:39 PM   Incoming email 'Barclays transaction notification #799654' From: "Barclays Bank " <reports@barclays.net>, To: <many email addresses here|>Payment receipt Barclays PA77392733.zip#1654153047|>Payment receipt Barclays PA77392733.exe [L] Win32:Dropper-gen [Drp] (0)
While moving file to chest, error occurred: The system cannot find the file specified
File was successfully deleted...

This seems inconsistent: File can't be found and was deleted. Huh?????????
Should I do some extra scan of the SeaMonkey profile?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87288
  • No support PMs thanks
Re: Thank you Avast! mail scanner + a question
« Reply #1 on: February 19, 2014, 12:50:00 AM »
If it related to an attachment then the attachment may have been removed, emails (or rather their attachments) don't seem to get to the chest. Essentially even if it was able to sent it to the chest there would be no way to restore it to the email, the same may be true in the way emails keep the attachments, extraction could corrupt the email.

Presumably you don't have a Barclays bank account and this is a phishing/social networking type of attack.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cooby

  • Guest
Re: Thank you Avast! mail scanner + a question
« Reply #2 on: February 20, 2014, 11:55:21 PM »
Thanks DavidR :)
Follow up, because it's a rare opportunity to learn how all this works and what to expect. And I'm still a bit baffled.

Yes, it's clearly one of those "click the attachment so we can give you a free trojan" mails.
It was addressed to multiple email addresses, mine is not in the list. Weird.
The .zip attachment name matches Avast log. This trash originated in India and came via France according to the mail header.

The "File was successfully deleted" in the log really is misleading because the message and the .zip attachment still exist in the SeaMonkey Junk mail folder. Does this seem right?

Using browser I went directly to my yahoo mail and this email is not there in the normal inbox, nor in the Spam folder. Normally when SeaMonkey classifies mail as junk I still would see it on the yahoo server. Do you think Avast deleted it there, because I did not?

I scanned the Seamonkey profile where mail resides and Avast showed nothing bad. It might be that being encrypted, the scanner doesn't see it and the inbound mail is just decoded once. Makes sense?

That's about 3-4 questions here, hope you don't mind :)
« Last Edit: February 20, 2014, 11:59:24 PM by cooby »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87288
  • No support PMs thanks
Re: Thank you Avast! mail scanner + a question
« Reply #3 on: February 21, 2014, 01:18:32 AM »
Unfortunately I don't know how the avast Mail Shield and SeaMonkey might interact. I can only go in previous email client experience when dealing with infected email, it tries to remove the attachment and mark the Subject/Title of the email with ***Virus***

So there is a possibility avast was unable to deal with the SeaMonkey email structure, but I have zero experience of it so I can't really say for sure on some of these questions.

It could be that SeaMonkey moved it to the Junk mail folder at or about the time avast would be trying to delete the attachment.

Was the email subject branded as I mentioned ?

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cooby

  • Guest
Re: Thank you Avast! mail scanner + a question
« Reply #4 on: February 21, 2014, 11:34:50 PM »
Thanks again DavidR. Your hints are valuable to me even though you don't use SeaMonkey client.

I deleted the message it yesterday.
So I decided to recover from the yahoo trash folder (on their server) to my local inbox in SeaMonkey as an experiment. Today's alert did a bit different trojan id, perhaps due to new definitions, perhaps due to me participating in the avast's community, who knows.
Quote
2/21/2014 10:43:18 AM   Incoming email 'Barclays transaction notification #799654' From: "Barclays Bank " <reports@barclays.net>, To: <  several email addresses here  >|>Payment receipt Barclays PA77392733.zip#1654153047|>Payment receipt Barclays PA77392733.exe [L] Win32:Zbot-SQW [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
File was successfully deleted...

No, neither before, nor today is there any ***VIRUS*** flag on the subject/title (see picture), but when I open the message (no, I don't click the .zip file, don't worry), X-Antivirus lines are there - see picture.
Not sure if you're right that as SeaMonkey was moving it to junk, Avast couldn't get at it. Today I let it sit before sending to junk mail and the "error occured", and still, the "successfully deleted" is not correct. That may be Avast problem or, as you mentioned, SeaMonkey structure. Oh, well...

I wonder if Thunderbird-Avast pair would behave in a similar manner.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87288
  • No support PMs thanks
Re: Thank you Avast! mail scanner + a question
« Reply #5 on: February 21, 2014, 11:53:13 PM »
You're welcome.

Perhaps there is something in SeaMonkey that is preventing the avast branding on the Subject line, the same could be true about avast not being able to remove the attachment before SeaMonky sent it to the Junk Mail folder.

I haven't seen this in Thunderbird/avast, but then again I don't get infected emails (unless I let them in as a test) as I use MailWasher Pro an anti-spam program and if it doesn't mark them for deletion at server level, I flag those that the mk1 brain picks up. I also don't have the Thunderbird Spam function enabled because of my use of MailWasher Pro.

So I have seen some emails that have been branded ***Virus*** and the attachment removed. These test were some time ago now. The main account that I got most spam and these phishing/social networking emails I have stopped using, so I very rarely see them now.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cooby

  • Guest
Re: Thank you Avast! mail scanner + a question
« Reply #6 on: February 22, 2014, 10:51:48 PM »
To see what would happen outbound, I tried forwarding this mail. It fails. It's defeated by two shields: mail shield for outbound mail, then the file shield when SeaMonkey was trying to save to the "Sent" folder a copy, as it normally does. On-screen SeaMonkey message was about not able to write to sent.msf.
Quote
2/22/2014 1:57:23 PM   C:\Documents and Settings\< myName >\Local Settings\Temp\nsemail.eml|>Fwd: Barclays transaction notification #799654.eml#1223398296|>Barclays transaction notification #799654.eml#2945062125|>Payment receipt Barclays PA77392733.zip#1654153047|>Payment receipt Barclays PA77392733.exe [L] Win32:Zbot-SQW [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
File was successfully deleted...
For a change, his time the log is accurate. The ...\temp\nsemail.eml file was deleted from \temp.

End of playing with fire and end of story from my end. I learned few things about how some of this works. Just sharing in case anyone is interested.

Good job Avast! And once again, thank you DavidR for your comments. Very helpful.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87288
  • No support PMs thanks
Re: Thank you Avast! mail scanner + a question
« Reply #7 on: February 22, 2014, 11:13:15 PM »
No problem, glad I could help, thanks for the further feedback.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security