[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Perhaps did I get a virus over the list?

Hi everybody,

Today I installed avast and the following happened:

1. I got a warning while scanning my .thunderbird/:

"Virus 'HTML:Banker-D [Trj]" in following files:

- ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Trash/PartNo_0#2351397450
- ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Trash
-  ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/ML-DebianWomen/

I shifted the files into the chest folder of avast. The files have the
following size:

Trash/PartNo_0#2351397450 -> HTML:Banker-D [Trj] = 4,2MB
Trash -> HTML:Banker-D [Trj] = 4,2 MB
ML-DebianWomen/PartNo_0#3121250411 -> HTML:Banker-D [Trj] = 2,9MB
ML-DebianWomen	-> HTML:Banker-D [Trj] =  2,9MB
Drafts/PartNo_0#1871746401 -> HTML:Banker-D [Trj] = 154,8MB !!

Now I have tried to find out, what kind of virus "Banker-D" is:

"Troj/Banker-D is a key logging Trojan which emails the gathered
information to an external email address.

The Trojan copies itself to the Windows folder ..."

"nfostealer.Banker.D is a Trojan horse that steals banking information
and opens a back door on the compromised computer. "

Now I examined the mailing-list archive and my e-mail/junk log file and
found out the following:

1. There are two spam-Mails on the list since November 2010, which have
something in common with "banking":

a) http://lists.debian.org/debian-women/2010/11/msg00005.html
b) http://lists.debian.org/debian-women/2011/02/msg00003.html

Both of them include a html-link.

b) includes the links as an attachment:
"Attachment: Update Your Account Information.html
Description: application/html"

And the target of the attachment-link is a binry file!!! (I interrupt
the URL with blanks): http:
//lists.debian.org/debian-women/2011/02/binPP79TIx7p7. bin

First I wondered about a possible interrelationship between the file in
the trash folder and the mailinglist and found out: I marked the mail in
msg00005.html as spam and put it in my trash folder!

Then I wondered about a possible interrelationship betrween the file  of
the mailinglist and the file in my drafts folder (of course: I do not
write any mailes at any time with an attachement of about 155MB!!!

But when I realized "The Trojan copies itself to the Windows folder" and
if I consider that all attempts of "poor" trojan to find a windows
folder on my computer were in vain, maybe the trojan leave it instead in
my drafts folder?!

What do you think about that? I will report the mails as spam (did not
know before that it ist possible over the html-mailingarchive ...

Best regards,

Reply to: