Virus question

[MSIC]

I just got an email from my wife, which plainly spam about a company. I think that it starting 'dear friend' didn't help
Anyway, it is a web-based email account (yahoo) which is never accessed via software such as outlook / thunderbird etc (and no such software even contains these account details). Only ever browser-based access.

My question is - does this indicate a virus on the laptop that she tends to use? This might sound like a dumb question, but I've never been on this position before. Her laptop is xp sp3, with ms security essentials av software, running firefox 3.6.

Thanks

[Blastuk]

Scan with Malwarebytes and change the email password would be the first step.

[MSIC]

Indeed - dont know why i didnt think about it having been hacked plain & simple - upon checking, she was using a dictionary-based password
That's now changed.
Upon reflection, i'm doubting any viral activity.

[badass]

Please bare in mind that SMTP - the protocol used to send email makes no attempt to authenticate the sender so spoofing the sender of an email is trivially easy. * Most email based worms do it. They infect someones PC, go through their address book and then when they send emails, forge the sender to be someone in the persons address book and send the email to another user in the address book.
Whilst it's possible that your wife's email account or computer may have been compromised and that may be why you got the email, it's unlikely that is why you got the email proporting to be from her. It's probably someone she knows is infected.


* It really is. I could show an average windows user how to do it in about 5 minutes.

[g8ina]

agreeing with badass, it may just be someone else in her own email address book thats infected. This is my own experience anyway.

[watercooled]

As above, check for viruses but don't be paranoid if you don't find anything. Spoofing a from address is very easy so you can't rely on them to prove who sent an email. You could check the routing information in the message header and compare it to an email actually sent through the account, you'll probably see a few suspicious domains. Also lots of email software including webmail can detect (or at least make a decent guess) if the header looks genuine, were there no spoof warnings on the software?

[ChaosSystem]

When you suspect a hacked account and you change the password, check the account information page as you can add alternative contact email addresses and I've seen hacked accounts that have other back door email addresses added.

Indeed - dont know why i didnt think about it having been hacked plain & simple - upon checking, she was using a dictionary-based password
That's now changed.
Upon reflection, i'm doubting any viral activity.

[winstonterr]

Hi,
I've used avast to get rid of most of the virus but some of the things it's deleted were system32 files that were critical to logging in and to the computer.I'm planning on reformatting my computer as soon as I get the disk.I'm running Puppy Linux right now and it says that there is a network connection but when I try going to a web page it doesn't let me.Any suggestions on what I can do to bypass this virus and be able to access the Internet.

[Lucio]

Hi,
I've used avast to get rid of most of the virus but some of the things it's deleted were system32 files that were critical to logging in and to the computer.I'm planning on reformatting my computer as soon as I get the disk.I'm running Puppy Linux right now and it says that there is a network connection but when I try going to a web page it doesn't let me.Any suggestions on what I can do to bypass this virus and be able to access the Internet.

Check the HOSTS file (usually in System32\drivers\etc), the only entry you should usually have in there is 127.0.0.1 localhosts, the virus may have added :::


To edit it, copy it out of the folder, open it up with Notepad, remove the offending line and then save it and copy it back.

[razer121]

Check the HOSTS file (usually in System32\drivers\etc), the only entry you should usually have in there is 127.0.0.1 localhosts, the virus may have added :::


To edit it, copy it out of the folder, open it up with Notepad, remove the offending line and then save it and copy it back.

Just thought i would churn in here, i just so happen to have a added extra line which is ":::1"
but my virus software finds nothing? is there anything else that can cause this?

[peterb]

::1 is the ipv6 localhost address so it can be safely left in place.

My own hosts file (from a linux system)

Code:

192.168.1.3     peter.localdomain  peter   # Added by NetworkManager
127.0.0.1       localhost.localdomain   localhost
::1     peter.localdomain  peter   localhost6.localdomain6 localhost6
192.168.1.9     webserver2.localdomain
192.168.1.2    other

I don't run a DNS server so I just code the local domain names into the hosts file (non of those domains are public btw! ) I have highlighted the IPv6 entry (although I am not running an IPv6 based network.)

[fedor]

don't know about yahoo, but gmail have very good antispam / antivirus filter.

[razer121]

don't know about yahoo, but gmail have very good antispam / antivirus filter.

Agreed, since moving over to Gmail i've only had the odd spam mail every now and then.