Author Topic: Persistent Threat Warning  (Read 3266 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Persistent Threat Warning
« on: November 01, 2017, 09:18:43 PM »
1) It is not my iMAC. It's my sister's that is running latest version of Avast. She is NOT computer savvy.

2) For the last few months, Avast has been reporting a threat which is just that...reported. Not cleaned, destroyed or put in the virus vault. Or, whatever Avast is suppose to do with it.

3) Threat information Avast reports in a popup:

Infection: JSiLockyDownLoader [Trj]
Subject: Invoice, Ref. 91041297
From: Ginger McKermon<mckernonGinger94104@malmstrup.com
File: Invoice_ref-91041297.zip/invoice_copy_qlzhLc.js
Process: /Application/Mail.app/Contents/MacOS/Mail

I'm guessing it is something through one of her hundreds of emails not identified. It looks like a zip file that would be uncompressed and install something to her OS mail program. I've told her under no circumstances should she try to open this file should she find it on her computer or in an email.

4) She can close the popup, but it appears later on since it's Avast's popup. It has popped up several times since I was last at her house a few weeks ago working on her printer.

5) My sister has no idea who Ginger McKermon is. Nor does she recognize the email address.

6) If I got the computer stats right (I'm a Windows guy), it is:

iMAX 8.1 (Early 2008) | OS X Version 10.68

7)       a) Anyone know what Avast is tying to say?
          b)How can this be stopped?
          c) Is there a way to find out more information about what this is Avast is reporting?

Any positive help would be appreciated.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Persistent Threat Warning
« Reply #1 on: November 02, 2017, 10:17:08 AM »
Quote
Infection: JSiLockyDownLoader [Trj]
Subject: Invoice, Ref. 91041297
From: Ginger McKermon<mckernonGinger94104@malmstrup.com
File: Invoice_ref-91041297.zip/invoice_copy_qlzhLc.js
Process: /Application/Mail.app/Contents/MacOS/Mail
access mail account from webmail and delete detected mail ... you may mark it as spam before deleting




REDACTED

  • Guest
Re: Persistent Threat Warning
« Reply #2 on: November 03, 2017, 12:44:07 AM »
If email could be found, I would have shredded it long ago. It is NOT spam. The email looks like it contains a zip file and a JavaScript file which I would think is much worse than spam. Besides, it is being reported every few days and my sister's Avast is not set to run a scan that frequently.

Thanks for trying to help.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Persistent Threat Warning
« Reply #3 on: November 03, 2017, 07:29:39 AM »
Quote
It is NOT spam. The email looks like it contains a zip file and a JavaScript file which I would think is much worse than spam.
I think you missunderstand the definition of spam .....

https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-with-spam-campaign-pushing-diablo6-variant/


Quote
Besides, it is being reported every few days and my sister's Avast is not set to run a scan that frequently.
Most likely evrytime the mail app try to sync with the mail account.
So access account from webmail and search for   Ginger McKermon

If still a problem, i think i would try uninstall/reinstall the mail app
there may be some sync problem, cache to clear .....







« Last Edit: November 03, 2017, 08:16:27 AM by Pondus »

REDACTED

  • Guest
Re: Persistent Threat Warning
« Reply #4 on: November 04, 2017, 06:55:59 PM »
No, I do not misunderstand the definition of spam. I think you are mixing spam with any virus/phising or other malware that may used or riding within a spam message. Spam is spam whether it is used by others for nefarious means.

Once her emails are downloaded they are not synced anymore. Especially since she has Chrome always opened to her gmail account online and does not download her email using any email program.

I was just hoping someone would have a definitive answer as to what Avast is actually reporting. Not so much as how to track it down. There was a malmstrup.com.

When my sister picks me up again to install RAM in her iMAC, I'll take a more in depth look provided we have the time.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Persistent Threat Warning
« Reply #5 on: November 04, 2017, 08:48:01 PM »
Quote
Spam is spam whether it is used by others for nefarious means.
Exactely what i have been trying to say, any unwanted mail is spam
And there is usually only one button to use if you want to report it, SPAM or Unwanted mail. Anyway case closed on this

Quote
Once her emails are downloaded they are not synced anymore. Especially since she has Chrome always opened to her gmail account online and does not download her email using any email program.
if you look at the info you posted from the avast message, there is a line that say

Process: /Application/Mail.app/Contents/MacOS/Mail


Did she previous use the mail app?
Is it still innstalled? ... try uninstall


« Last Edit: November 04, 2017, 08:51:46 PM by Pondus »

REDACTED

  • Guest
Re: Persistent Threat Warning
« Reply #6 on: November 05, 2017, 03:20:14 PM »
Yes, I have looked at "Process: /Application/Mail.app/Contents/MacOS/Mail
" and understand fully what it is saying. Even so, it's not really what I am asking. At any rate, I'll keep searching and take care of it since the actual threat report to Advast has not been answered.

I will not be replying to any more posts here.

Offline lukas.hasik

  • Avast team
  • Advanced Poster
  • *
  • Posts: 929
  • Product manager of Avast Security for Windows
Re: Persistent Threat Warning
« Reply #7 on: November 07, 2017, 11:41:46 AM »
@email.majorpayne - it looks like you get in an indefinite loop of threat detection of malicious email. We hope that we've fixed in new product update - https://forum.avast.com/index.php?topic=210570.0 You can reinstall to fix immediately, or wait for automatic update.

Why it's happening? There is an email with malicious content/attachment, it gets downloaded by your mail client however the Avast's shields caught it. And "delete" locally. But then the mail client synchronises emails downloaded locally and emails on server. And it gets downloaded again.

Quality is also a feature.