7 replies to this topic

[coffeemetalcode]

Hello. My isp sent a message today informing me that my email client (Thunderbird) was sending spam and that I should check for viruses and manually change the port that it uses to send mail. I changed the port to the one recommended by the isp and ran a check using ClamTK virus scanner. I'm using Ubuntu Studio 8.04 with Thunderbird for email and Firefox for browsing. The virus check turned up something it called "Trojan.Agent-59561" and quarantined my Inbox and Sent folders. It doesn't list in any detail which file is the offending file. I'd like to isolate the exact files causing the problem so that I don't lose all my messages in my Inbox and Sent folders. It may be worth noting that the Thunderbird profiles folder was transferred from a Windows XP machine about 8 months ago and just dropped in to the appropriate place in Ubuntu. I don't know if this is something that was picked up while on Windows or if it's more recent. A partial copy of the ClamTK log is pasted below. How can I save my Inbox/Sent folders and still get rid of this trojan? thanks, Dave Found 6 possible viruses (22908 files scanned). /home/david/.mozilla-thunderbird/... Files number limit exceeded /home/david/.mozilla-thunderbird/... Trojan.Agent-59561 /home/david/.mozilla-thunderbird/... Trojan.Agent-59561 /home/david/.mozilla-thunderbird/... /home/david/linksys/manual.pdf Files number limit exceeded /home/david/Powhatan_Softball_Ass... Files number limit exceeded -----------------------------------------------------------------------------

[tallin]

Hello notesetter,

You can back up your Thunderbird email here.

I would post a HJT log after you do the above as I see you have already done so some time ago, and perhaps as you have changed your system markedly, another one would suffice to make sure you have no Malware aboard.

Post back in this forum if you need more assistance, otherwise your HJT log in the correct forum as before..........thanks

Best regards,

[Doug]

Hi notesetter,

While Linux users generally breath easier and sleep well believing that their machines are safe from infections, there really are an assortment of Malware infections to which Linux is vulnerable. But the Linux user would generally have to deliberately allow an executable to run, in order for their own machine to be damaged. Unfortunately, this "can" happen.

More often the Linux user, while not vulnerable locally on their own machine, may receive infected email and pass that infection along to other Windows machines in their Network or to remote machines via email.

This second circumstance may be what your ISP is complaining about.

I've started a consultation with the Malware Team about your situation.
One of the Malware Specialists will come visit you here in this thread and probably be able to direct you to the correct procedures to post your problem into the Malware Removal forum for expert attention.

Best Regards,
Doug

[coffeemetalcode]

Thanks, Doug. I've cleaned out my inbox and scanned just the files that Thunderbird uses to store messages (the files that were earlier found to have been infected) and the scan now comes back clean. I think ClamTK was flagging my mailbox files on account of individual spam messages that I'd received but not yet deleted which had potentially contained viruses. Occasionally, I receive a delivery failure message that something I sent to an address that I don't know cannot be delivered. The subject line of the failed message always resembles a spam message that I received earlier and then junked. I do leave messages on my isp's server for a specified period of time as a backup. Is it possible that the virus is actually on my isp's server and spamming people not from my computer, but from my account on their server? Thanks again, Dave

[jpshortstuff]

Hi notesetter,

Just checking - did you manage to recover the files that ClamAV quarantined that you believed to be legit?

I would hope that now you've cleared out your Inbox things would be ok, especially if ClamAV is now reporting no infected files. It may be worth deleting any Spam/Junk that you do get more permanently in future. Also, if you receive another message like this from your ISP it may be worth contacting them and asking them if they can provide more information about which emails were infected.

Good luck.

[Doug]

Sure, the suspected infected file(s) could also be resident on your ISP's server....that is possibly if you have selected to "leave a copy on the server" in your email client. But they would not be "executing a send" from your account. You would be the one to do so, whether knowingly or not from your local machine when you log in with username and password, and it would have to be a file that you have already downloaded to your machine. (Perhaps as an email attachment) As jpshortstuff suggests, clear out your browser cache and delete junk email regularly. I am aware that some additional research may be in progress, so check back. Keep us updated with your progress, since others will be able to learn from your experience and solution. Best Regards

[Jacee]

Kaspersky recognizes "Trojan.Agent-59561", but doesn't give any details on it. Did you open a spam/phishing email that contained words to the effect:
" There are the keys to recover your personal account" ?

Look for The_Keys.doc.exe and delete it.

[coffeemetalcode]

Thanks, everyone for your time and thoughtful explanations and advice.

I've done a radical clean of all of my mail folders and subsequent scans have turned up nothing suspicious. I'm led to conclude that the machine is virus free.

Kaspersky recognizes "Trojan.Agent-59561"

Jacee, I've searched for that file and variations on its name and have not found anything like it. These emails come through the junk filters from time to time, but I always just junk them. I don't follow any links contained in emails unless I know who they come from.

As jpshortstuff suggests, clear out your browser cache and delete junk email regularly.

Doug and jpshortstuff, I set my browser and mail client to delete just about everything every time the programs are closed. I think I just had a few emails in my inbox and other folders that I had failed to weed out.

Again, thanks to everyone for the helpful advice.

Dave