Jump to content

Virus alert when clicking on "View entire message"


MyNameHere

Recommended Posts

Hi folks.

This is a first for me.

Apparently, I received a spam message that included some kind of known HTML "virus." This is the message from my AV program:

When accessing data from the URL, "http://mailsc.spamcop.net/sc?id=<id_removed>&action=display"

a virus or unwanted program 'HTML/Redirect.FQ' [virus] was found.

Action taken: Blocked file

I sent the report without looking at the full contents of the message, then later looked at the report and found that there appeared to be something in a base64 section. When I ran it through the Base64 decoder, the AV program gave the same message.

Anyone seen anything like this before?

Link to comment
Share on other sites

...Anyone seen anything like this before?
Never an HTML/java scri_pt virus (the occasional "web bug" ages ago, that's about all) - but a salutary reminder never to open spam e-mails, especially not to open them in HTML. Nine times out of ten, judging by experiences with virus attachments, any given AV will fail to detect the latest nasty contained. Details of this class of malevolence are shown at http://www.microsoft.com/security/portal/t...S%2FIframeRef.I (and note the "Prevention" measures).

IIUC, the way it functions is to redirect your browser to a malicious website which attempts to drop a malware downloader onto your system and that in turn tries to subvert your system into downloading and installing further malware. Since you didn't open the message it didn't even get the chance to try the re-direction trick and even if it had, it sounds like your Avira AV would have been on top of it - also your browser settings, firewall and/or restricted user privileges may well have blocked any exploit attempt, not to mention that Avira and others are working all the time to get the malicious redirection sites taken down as soon as they pop up.

But, not everyone will be as cautious and the HTML virus signatures/heuristics may not always be sufficiently up to date and the malicious redirector sites presumably do considerable work before they are discovered and taken down or blocked.

Thanks for the "heads up" - makes it all immediate, as opposed to theoretical.

Link to comment
Share on other sites

Thanks, Farelf.

After reading the description, I really don't think it would have been able to do anything when simply displaying the message source. I don't know whether it is tricky enough to trigger an automatic action when viewed in webmail, but I also doubt that.

In any case, I generally don't open spam and, when I do, it's only in the webmail interface, so there shouldn't be any scripts to execute.

I guess the AV is super-sensitive and doesn't care (or isn't able to tell) that only the message source is being displayed.

Link to comment
Share on other sites

...

In any case, I generally don't open spam and, when I do, it's only in the webmail interface, so there shouldn't be any scripts to execute.

I guess the AV is super-sensitive and doesn't care (or isn't able to tell) that only the message source is being displayed.

You should/would have to be fine (but probably ran a system scan or two anyway? - doesn't hurt, apart from giving your hard-drive a bit of a workout). Don't know the interface you are using but as long as you confine your viewing to the "message source" (all text) you should be OK. It is generally recommended that you have any "preview pane" capability turned off (though there might be a level of protection built into that, it is not proof against everything that could be triggered).

But yeah - always a bit of a shock when you get a virus alert. Those AVs like to make it a bit of a song-and-dance routine out of it when they detect something, just proving they're doing their job. No knowing how many they don't detect. Fortunately your habits are safe so it really doesn't matter if potential infections were undetected.

Many (maybe most?) AVs would react to the text/Base 64 renditions of malware executables since they don't actually open/trigger the stuff to "read" it and are generally smart enough to deal with encoding. If you have "real-time" protection enabled you should see warnings (and/or maybe have removal action triggered) whenever you open a text rendition - if your AV definitions/heuristics include the nastiness in question. Doesn't mean there was an infection risk from your actions.

Again, talking of experience with malware attachments which are a somewhat different thing (they skip the "middleman" of the malicious redirect site), it is amazing how few AVs recognize the things when they are first received (using the analysis batteries of multiple different AVs at services like VirusTotal). But that's the niche for that sort of exploit, always changing their signatures in an attempt to evade detection. VirusTotal is where you might see that the same AVs that detect a virus executable or source file will generally detect it also in a text file of the Base 64 code as extracted from the "view source" e-mail rendition.

The other interesting thing to be gleaned from VT is that no single AV is superior/successful in "early days" detection. Thus the importance of safe habits in dealing with e-mail (and browsing). And the risk imposed by "social engineering" in attempting to circumvent such cautious habits.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...