Perhaps did I get a virus over the list?

To: debian-women <debian-women@lists.debian.org>
Subject: Perhaps did I get a virus over the list?
From: Petra Kubina <petra.kubina@web.de>
Date: Sun, 06 Feb 2011 00:12:15 +0100
Message-id: <[🔎] 4D4DD94F.6090201@web.de>

Hi everybody,

Today I installed avast and the following happened:

1. I got a warning while scanning my .thunderbird/:

"Virus 'HTML:Banker-D [Trj]" in following files:

- ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Trash/PartNo_0#2351397450
- ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Trash
-
ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/ML-DebianWomen/PartNo_0#3121250411
-  ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/ML-DebianWomen/
-
ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Drafts/PartNo_0#1871746401

I shifted the files into the chest folder of avast. The files have the
following size:

Trash/PartNo_0#2351397450 -> HTML:Banker-D [Trj] = 4,2MB
Trash -> HTML:Banker-D [Trj] = 4,2 MB
ML-DebianWomen/PartNo_0#3121250411 -> HTML:Banker-D [Trj] = 2,9MB
ML-DebianWomen	-> HTML:Banker-D [Trj] =  2,9MB
Drafts/PartNo_0#1871746401 -> HTML:Banker-D [Trj] = 154,8MB !!

Now I have tried to find out, what kind of virus "Banker-D" is:

"Troj/Banker-D is a key logging Trojan which emails the gathered
information to an external email address.

The Trojan copies itself to the Windows folder ..."
From:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankerd.html

"nfostealer.Banker.D is a Trojan horse that steals banking information
and opens a back door on the compromised computer. "
From:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-052710-0541-99


Now I examined the mailing-list archive and my e-mail/junk log file and
found out the following:

1. There are two spam-Mails on the list since November 2010, which have
something in common with "banking":

a) http://lists.debian.org/debian-women/2010/11/msg00005.html
b) http://lists.debian.org/debian-women/2011/02/msg00003.html

Both of them include a html-link.

b) includes the links as an attachment:
"Attachment: Update Your Account Information.html
Description: application/html"

And the target of the attachment-link is a binry file!!! (I interrupt
the URL with blanks): http:
//lists.debian.org/debian-women/2011/02/binPP79TIx7p7. bin

First I wondered about a possible interrelationship between the file in
the trash folder and the mailinglist and found out: I marked the mail in
msg00005.html as spam and put it in my trash folder!

Then I wondered about a possible interrelationship betrween the file  of
the mailinglist and the file in my drafts folder (of course: I do not
write any mailes at any time with an attachement of about 155MB!!!

But when I realized "The Trojan copies itself to the Windows folder" and
if I consider that all attempts of "poor" trojan to find a windows
folder on my computer were in vain, maybe the trojan leave it instead in
my drafts folder?!

What do you think about that? I will report the mails as spam (did not
know before that it ist possible over the html-mailingarchive ...

Best regards,
Petra

Reply to:

Follow-Ups:
- Re: Perhaps did I get a virus over the list?
  - From: Michelle Konzack <linux4michelle@tamay-dogan.net>
- Re: Perhaps did I get a virus over the list?
  - From: Michelle Konzack <linux4michelle@tamay-dogan.net>
- Re: Perhaps did I get a virus over the list?
  - From: Michelle Konzack <linux4michelle@tamay-dogan.net>

Prev by Date: (german) talk about how speech and humor is Doing Differences within Linux-community
Next by Date: Re: Perhaps did I get a virus over the list?
Previous by thread: (german) talk about how speech and humor is Doing Differences within Linux-community
Next by thread: Re: Perhaps did I get a virus over the list?
Index(es):
- Date
- Thread