VBS:LoveLetter detected.

[WDGC]

I'm somewhat mystified by an Avast warning box which has just opened. This box, which is titled "A Virus Was Found!" contains the following details:

---
File name: http://mail.google.com/mail/?&ik=436b3969a6&view=tl&search=inbox&start=0&tlt=1099f88085d&fp=7da6199c348a02e3&auto=1&zx=chagig-um5vaf\unp112666111

Malware name: VBS:LoveLetter
Malware type: Virus/Worm
VPS version: 0608-1, 23/02/2006

---

I haven't received an e-mail message and the above URL leads to a Google page with the following message:

---
Your Google Mail account has been signed out.

Google Mail automatically signs you out of your account when it detects that you've logged out from another browser window, or when you sign in to another Google Mail account from another browser window. This is done to protect your Google Mail account, and to ensure the privacy of your information.

Sign in again
---

My installation is version 4.6 Home Edition, build: Feb 2006 (4.6.763) and I only have Web Shield running

I hope someone can offer an explanation of this "A Virus Was Found!" box message.

[mauserme]

Hi WDGC

If you weren't retrieving email then the only thing I can think of is you might have Outlook set to automatically check for new mail.  Assuming you terminated the connection when you got the warning nothing would not have downloaded so you wouldn't necessarily be aware you had email.  The terminated connection might also explain why you got logged out.

Just a thought.

[alanrf]

The warning message would suggest that you were scanning GMail via the web interface and that a virus signature was detected in one of the web screens, especially since this is a VBScript virus which may have appeared in clear text rather than in an encoded attachment.   

This may possibly have been a false detection, GMail instituted virus scanning of attachments at the end of 2005.  Is it possible you were downloading a GMail attachment?   

Attemtping to use a URL to go back to a terminated GMail session is likely to give the response you are seeing (ie you are not going to the URL but being refused because the session is no longer active).

It is unlikely that your system has been put at risk (you would need to download the VBScript and execute it for that to happen), but there is the possibility that an infected email is still sitting in your GMail message store - if you encounter it again via the web interface it should be deleted.

Outlook does not access GMail via http - so I think it unlikely in the extreme that a URL would be reported in connection with it.   

[WDGC]

mauserme and alanrf,  thank you for your replies.

I didn't terminate the connection and I wasn't logged out of the Google e-mail account I had open. Where the URL came from and why is a mystery to me, and to further the mystery, I haven't got Outlook and don't use an e-mail client. Nor was I downloading a GMail attachment, or anything else - in fact, at the time the system was only idling with me sitting in front of the monitor talking to a visitor.   

Although I didn't receive an e-mail message -  so nothing was downloaded - I have still run full system scans with Avast and ewido;  nothing detected.

I think it almost certainly is a false detection, so I suppose it is merely academic, but I would still like an explanation.

[alanrf]

Are you a user of Gmail?  If so, were you logged on to your Gmail web interface while you were talking with your visitor?

[WDGC]

Yes. From my last post, "and I wasn't logged out of the Google e-mail account I had open.".

[alanrf]

I rather suspect that merely accessing a URL related to your GMail account from another browser window is likely to trip Google's security sensors and terminate your perfectly good session.  In other words simply investigating the error report from avast would be enough.

However, that does not answer the more fundamental question, why, if your Gmail session was not being actively used would avast report a problem with a page being accessed? Browsers do perform refreshes but that should just be an update of an existing screen and not bring you a new page with a (possible) virus in it.   I admit I do not have an answer - perhaps other minds will.

[WDGC]

I rather suspect that merely accessing a URL related to your GMail account from another browser window is likely to trip Google's security sensors and terminate your perfectly good session.  In other words simply investigating the error report from avast would be enough.

When I went to the URL from the Avast "A Virus Was Found!" box, I wasn't logged out, even though the message on the page - see OP - gave such as the reason.

However, be that as it may;   I am more interested in that  most appropriately stated by you: "However, that does not answer the more fundamental question, why, if your Gmail session was not being actively used would avast report a problem with a page being accessed?".

[mauserme]

Riker opened a thread about a a similar gmail problem last year:

http://forum.avast.com/index.php?topic=12426.0

That thread died quickly so I've pm'd him asking him to join this thread if he ever figured anything out or heard from gmail support.

[liljoe]

glad to hear someone else had a false positive too. a friend, 2 days ago,  was awoken @ 5:30 by her laptop screaming "DANGER, DANGER!!" 
she sent her log to me, only thing in it was under the caution tab:
Sign of "VBS:LoveLetter" has been found in "http://mail.google.com/mail/?&ik=e272776e73&view=tl&search=inbox&start=0&tlt=1099673b4c5&fp=6c14a1cec8ce9123&auto=1&zx=fdcma9-uktd28\unp147331982" file.
had her run a kasperky scan & nortons removal tool, no results. i never asked if she had firefox open, or if she has gmails notifier (atomfeed right?). this will be REALLY annoying if this happens to every client i set up w/ gmail and avast, REEEEEEALLY annoying... 
anyone have anything definative? would be much appreciated.
-joe

[WDGC]

That thread died quickly so I've pm'd him asking him to join this thread if he ever figured anything out or heard from gmail support.

Thank you, all helps to possibly getting an explanation.

[mauserme]

No problem.  I'm as curious about this as you are.

[Riker]

Riker opened a thread about a a similar gmail problem last year:

http://forum.avast.com/index.php?topic=12426.0

That thread died quickly so I've pm'd him asking him to join this thread if he ever figured anything out or heard from gmail support.

No :-) no response from the Support. But the Problem never happend again.

[WDGC]

I have again received an "A Virus Was Found!" box message, for all intents and purposes the same as that reported previously, only a slightly different file name and different VPS version:

---
File name: http://mail.google.com/mail/?&ik=436b3969a6&view=tl&search=inbox&start=0&tlt=109d4f44d3e&fp=2bf33eca4ca8e516&auto=1&zx=4q3r0i-9r3857\unp246146967

Malware name: VBS:LoveLetter
Malware type: Virus/Worm
VPS version: 0610-0, 06/03/2006
---

All other details are also as reported previously. Whilst I think it extremely unlikely this warning is anything other than a false positive, it is still somewhat disconcerting to receive them.

Possibly something as to the cause of this problem is now known?

[CharleyO]

***

When this happens again, would you mind taking a screen shot of the warning and posting it in this thread?

Thanks!   


***