Re: ClamXav Scan Report

[Ronda Brown]

On 27/02/2006, at 12:20 AM, Rob Davies wrote:



On 26Feb2006, at 8:02 pm, Ronda Brown wrote:



On 26/02/2006, at 7:23 PM, Robert Howells wrote:


HI Ronni,

There have been a number of scam" Bank "emails recently !

ANZ
Sunwaymetcorp
Combank

asking for you to login and confirm your details .
Banks do NOT ask for you to confirm details .
These are scam emails with " phishing"  addresses.


Hi Bob,

I never got this through an email. I'm well aware of the Bank Scam  
emails.

I would NEVER login & confirm my details from an email.

Cheers,
Ronni
Car'n The Pies


The fact that it is in Safari's cache does not suggest that it was  
acquired via a web address, but it is the link loading the relative  
information back to the hidden URL. All sources I have scoured  
about this Trojan suggest that it is usually delivered via email,  
and 100% windows based. Many variants of it i.e. the no's at end of  
the identifier are specific to whatever bank it is trying to  
emulate. Also the main point here is that you have to activate the  
URL to pass-on relevant information whilst using relevant OS, hence  
the tag phishing someone has to take the bait.


Just be sure in Safari and other browsers that the "open safe files  
after download" box is not selected. Also within the share/firewall/ 
advanced all these box's are selected, making it that bit more  
difficult to track back to your machine. Whilst the logs although  
basic will give you a reference point of all things transgressing  
your firewall.


Would not hurt to activate ClamXav Folder Sentry on the Library  
folder of user for next few days and see if anymore show up. I have  
had a few of these, but not on Mac. Mine have been caught via  
Firewall Box (IPcop) and programs that check email and most things  
passing through the open ports, things still do get through, damn  
Windows stuff definitely not OS X (Touch Wood). Although I do  
believe this stale mate will be abated by the Intel Macs coming  
online.


I do not believe you have been compromised, as Jame's wonderful  
inference suggested.


Cheers!
Rob...


A 'Huge' thank you to James, Rob, Nancy, Bob, I'm sorry Bob for  
doubting you :-( , Glenn & Peter for your excellent responses to my  
'Mini Freak-out'.

I really appreciate your help.

I do have all selected as Rob suggests and will activate ClamXav  
Folder Sentry on my Library Folder.
I also hope Rob you are correct & I have not been compromised .  
so far my money is still in my Bank (well, until I have to pay the  
Tax Man this month)?


Thanks again people.

Cheers,
Ronni
Car'n The Pies (at least the Pies had a Win yesterday)

Re: ClamXav Scan Report

[Rob Davies]

On 26Feb2006, at 8:02 pm, Ronda Brown wrote:



On 26/02/2006, at 7:23 PM, Robert Howells wrote:


HI Ronni,

There have been a number of scam" Bank "emails recently !

ANZ
Sunwaymetcorp
Combank

asking for you to login and confirm your details .
Banks do NOT ask for you to confirm details .
These are scam emails with " phishing"  addresses.


Hi Bob,

I never got this through an email. I'm well aware of the Bank Scam  
emails.

I would NEVER login & confirm my details from an email.

Cheers,
Ronni
Car'n The Pies


The fact that it is in Safari's cache does not suggest that it was  
acquired via a web address, but it is the link loading the relative  
information back to the hidden URL. All sources I have scoured about  
this Trojan suggest that it is usually delivered via email, and 100%  
windows based. Many variants of it i.e. the no's at end of the  
identifier are specific to whatever bank it is trying to emulate.  
Also the main point here is that you have to activate the URL to pass- 
on relevant information whilst using relevant OS, hence the tag  
phishing someone has to take the bait.


Just be sure in Safari and other browsers that the "open safe files  
after download" box is not selected. Also within the share/firewall/ 
advanced all these box's are selected, making it that bit more  
difficult to track back to your machine. Whilst the logs although  
basic will give you a reference point of all things transgressing  
your firewall.


Would not hurt to activate ClamXav Folder Sentry on the Library  
folder of user for next few days and see if anymore show up. I have  
had a few of these, but not on Mac. Mine have been caught via  
Firewall Box (IPcop) and programs that check email and most things  
passing through the open ports, things still do get through, damn  
Windows stuff definitely not OS X (Touch Wood). Although I do believe  
this stale mate will be abated by the Intel Macs coming online.


I do not believe you have been compromised, as Jame's wonderful  
inference suggested.


Cheers!
Rob...

Re: ClamXav Scan Report

[Ronda Brown]

On 26/02/2006, at 8:01 PM, James Devenish wrote:


To help find out where the offending files were downloaded from:

On 26/02/06, Ronda Brown <[EMAIL PROTECTED]> wrote:
You say "Examination of the cache files will reveal the source  
address".


For each cache file listed by ClamXav, you need to open it as a text
file (e.g., drag its icon onto TextEdit). Then, look for "http://";
URLs amongst all the gibberish at the top of the file.


Thanks James,

A pity I am unable to as I have well and truly Trashed the files.
If (& I hope not), I find another, I will do as you suggest.

The good news is My Bank Accounts have not be touched.

Cheers,
Ronni
Car'n The Pies

Re: ClamXav Scan Report

[Ronda Brown]

On 26/02/2006, at 7:23 PM, Robert Howells wrote:



On 26 Feb 2006, at 5:11 PM, Ronda Brown wrote:



On 26/02/2006, at 5:00 PM, James Devenish wrote:


Hi Ronni,

Hopefully someone else can give you a ClamXav-specific answer.  
I'd say

that you've visited a website that hosts this Trojan and that your
computer has downloaded it. Perhaps it arrived as part of an e- 
mail or

a website that you visited. I guess it got downloaded because the
website uses the Trojan as part of the web page, or because you
clicked on a link. Examination of the cache files will reveal the
source address. However, it's unlikely that you're "infected" as  
such
(or, at least, no more than your family is "infected with ice"  
simply

because there's ice sitting in your freezer at home).

HTML.Phishing.Bank-246


Thanks James,

You say "Examination of the cache files will reveal the source  
address".

I did  'Command i' , but that didn't give me much information.
And, of course I have 'Secure Emptied the Trash' with these files  
in it.


Cheers,
Ronni


HI Ronni,

There have been a number of scam" Bank "emails recently !

ANZ
Sunwaymetcorp
Combank

asking for you to login and confirm your details .
Banks do NOT ask for you to confirm details .
These are scam emails with " phishing"  addresses.


Hi Bob,

I never got this through an email. I'm well aware of the Bank Scam  
emails.

I would NEVER login & confirm my details from an email.

Cheers,
Ronni
Car'n The Pies

Re: ClamXav Scan Report

[James Devenish]

To help find out where the offending files were downloaded from:

On 26/02/06, Ronda Brown <[EMAIL PROTECTED]> wrote:
> You say "Examination of the cache files will reveal the source address".

For each cache file listed by ClamXav, you need to open it as a text
file (e.g., drag its icon onto TextEdit). Then, look for "http://";
URLs amongst all the gibberish at the top of the file.

Re: ClamXav Scan Report

[Robert Howells]

On 26 Feb 2006, at 5:11 PM, Ronda Brown wrote:



On 26/02/2006, at 5:00 PM, James Devenish wrote:


Hi Ronni,

Hopefully someone else can give you a ClamXav-specific answer. I'd say
that you've visited a website that hosts this Trojan and that your
computer has downloaded it. Perhaps it arrived as part of an e-mail or
a website that you visited. I guess it got downloaded because the
website uses the Trojan as part of the web page, or because you
clicked on a link. Examination of the cache files will reveal the
source address. However, it's unlikely that you're "infected" as such
(or, at least, no more than your family is "infected with ice" simply
because there's ice sitting in your freezer at home).

HTML.Phishing.Bank-246


Thanks James,

You say "Examination of the cache files will reveal the source 
address".

I did  'Command i' , but that didn't give me much information.
And, of course I have 'Secure Emptied the Trash' with these files in 
it.


Cheers,
Ronni


HI Ronni,

There have been a number of scam" Bank "emails recently !

ANZ
Sunwaymetcorp
Combank

asking for you to login and confirm your details .
Banks do NOT ask for you to confirm details .
These are scam emails with " phishing"  addresses.

If you do login the scammers record your login and password before they 
pass you on to the real bank .

No more bank funds left afterwards.

It seems ClamXAV recognises the hidden address that takes you away from 
the expected address .


I had some and tracked them down and eliminated them individually from 
my Trash box .


Have fun

Bob

Re: ClamXav Scan Report

[Peter Sealy]

On 26/02/2006, at 7:48 PM, Ronda Brown wrote:


Hi WAMUGers,

I did a scan today using ClamXav 1.0.1  and ... yikes  2  
Infected Files.

I've never had this happen before.
From what I can find out about the HTML.Phishing.Bank-246 it's a
Trojan-Spy.HTML.Bankfraud.ht

Sounds very serious.
Has someone tried to get my Bank Account Details?

I have Trashed the Two Files !



Did you send notification and copies to the AUSCERT folk. They will  
be able to track this down and perhaps provide some info.




.

Peter Sealy
Thurgoona AUSTRALIA

Re: ClamXav Scan Report

[Ronda Brown]

Thanks Glenn,

I had Little Snitch installed at some time back. I deleted it as it  
caused a few problems.

I can't remember what or in what OS I was using at the time.
I will check it out again.

Are you using it in OSX10.4.5?
Thanks.

Ronni

On 26/02/2006, at 5:07 PM, Spin wrote:


Ronni,

Not sure about that particular virus, however a tool I use is  
Little Snitch.  It reports on outbound connection requests, the  
idea being if an application wants to send some data to an external  
site, you are told about it and get to approve/deny the request.
If a trojan did install, collect details and try to send off site,  
you might have a chance of detecting it with a tool like this and  
denying the outbound send.
Its a pity the default firewall config in OS X doesn't let you set  
up outbound permissions (I think it can be used this way if you  
know the ins and outs of firewall configuration).


Glenn.

On 26/02/2006, at 4:48 PM, Ronda Brown wrote:


Hi WAMUGers,

I did a scan today using ClamXav 1.0.1  and ... yikes  2  
Infected Files.

I've never had this happen before.
From what I can find out about the HTML.Phishing.Bank-246 it's a
Trojan-Spy.HTML.Bankfraud.ht


Sounds very serious.
Has someone tried to get my Bank Account Details?

I have Trashed the Two Files !
- 
-

Scan started: Sun Feb 26 13:46:28 2006

/Users/ronni/Library/Caches/Safari/ 
01/00/3729113369-3986401291.cache: HTML.Phishing.Bank-246 FOUND
/Users/ronni/Library/Caches/Safari/ 
13/00/2171875289-3523061511.cache: HTML.Phishing.Bank-246 FOUND


-- summary --
Known viruses: 45420
Engine version: 0.86.2
Scanned directories: 5170
Scanned files: 25365
Infected files: 2
Data scanned: 19216.02 MB
Time: 9070.693 sec (151 m 10 s)
- 
-


Thanks for any information as to How & Why did has happened on my  
G4 PowerBook OSX10.4.5.


Cheers,
Ronni
Car'n The Pies



-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 


-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 


Cheers,
Ronni
Car'n The Pies

Re: ClamXav Scan Report

[Ronda Brown]

On 26/02/2006, at 5:00 PM, James Devenish wrote:


Hi Ronni,

Hopefully someone else can give you a ClamXav-specific answer. I'd say
that you've visited a website that hosts this Trojan and that your
computer has downloaded it. Perhaps it arrived as part of an e-mail or
a website that you visited. I guess it got downloaded because the
website uses the Trojan as part of the web page, or because you
clicked on a link. Examination of the cache files will reveal the
source address. However, it's unlikely that you're "infected" as such
(or, at least, no more than your family is "infected with ice" simply
because there's ice sitting in your freezer at home).

HTML.Phishing.Bank-246


Thanks James,

You say "Examination of the cache files will reveal the source address".
I did  'Command i' , but that didn't give me much information.
And, of course I have 'Secure Emptied the Trash' with these files in it.

Cheers,
Ronni
Car'n The Pies

Re: ClamXav Scan Report

[Spin]

Ronni,

Not sure about that particular virus, however a tool I use is Little  
Snitch.  It reports on outbound connection requests, the idea being  
if an application wants to send some data to an external site, you  
are told about it and get to approve/deny the request.
If a trojan did install, collect details and try to send off site,  
you might have a chance of detecting it with a tool like this and  
denying the outbound send.
Its a pity the default firewall config in OS X doesn't let you set up  
outbound permissions (I think it can be used this way if you know the  
ins and outs of firewall configuration).


Glenn.

On 26/02/2006, at 4:48 PM, Ronda Brown wrote:


Hi WAMUGers,

I did a scan today using ClamXav 1.0.1  and ... yikes  2  
Infected Files.

I've never had this happen before.
From what I can find out about the HTML.Phishing.Bank-246 it's a
Trojan-Spy.HTML.Bankfraud.ht

Sounds very serious.
Has someone tried to get my Bank Account Details?

I have Trashed the Two Files !
-- 


Scan started: Sun Feb 26 13:46:28 2006

/Users/ronni/Library/Caches/Safari/ 
01/00/3729113369-3986401291.cache: HTML.Phishing.Bank-246 FOUND
/Users/ronni/Library/Caches/Safari/ 
13/00/2171875289-3523061511.cache: HTML.Phishing.Bank-246 FOUND


-- summary --
Known viruses: 45420
Engine version: 0.86.2
Scanned directories: 5170
Scanned files: 25365
Infected files: 2
Data scanned: 19216.02 MB
Time: 9070.693 sec (151 m 10 s)
-- 



Thanks for any information as to How & Why did has happened on my  
G4 PowerBook OSX10.4.5.


Cheers,
Ronni
Car'n The Pies



-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

Re: ClamXav Scan Report

[Paul]

Ronda Brown wrote:


Hi WAMUGers,

I did a scan today using ClamXav 1.0.1  and ... yikes  2  
Infected Files.

I've never had this happen before.
From what I can find out about the HTML.Phishing.Bank-246 it's a
Trojan-Spy.HTML.Bankfraud.ht

Sounds very serious.
Has someone tried to get my Bank Account Details?

I have Trashed the Two Files !
 
--

Scan started: Sun Feb 26 13:46:28 2006

/Users/ronni/Library/Caches/Safari/01/00/3729113369-3986401291.cache:  
HTML.Phishing.Bank-246 FOUND
/Users/ronni/Library/Caches/Safari/13/00/2171875289-3523061511.cache:  
HTML.Phishing.Bank-246 FOUND


-- summary --
Known viruses: 45420
Engine version: 0.86.2
Scanned directories: 5170
Scanned files: 25365
Infected files: 2
Data scanned: 19216.02 MB
Time: 9070.693 sec (151 m 10 s)
 
--


Thanks for any information as to How & Why did has happened on my G4  
PowerBook OSX10.4.5.


I got 4 of those, I believe they aren't too much to get worried about 
but I would be interested to hear comments from others more knowledgeable.



Cheers

Paul

Re: ClamXav Scan Report

[James Devenish]

Hi Ronni,

Hopefully someone else can give you a ClamXav-specific answer. I'd say
that you've visited a website that hosts this Trojan and that your
computer has downloaded it. Perhaps it arrived as part of an e-mail or
a website that you visited. I guess it got downloaded because the
website uses the Trojan as part of the web page, or because you
clicked on a link. Examination of the cache files will reveal the
source address. However, it's unlikely that you're "infected" as such
(or, at least, no more than your family is "infected with ice" simply
because there's ice sitting in your freezer at home).

HTML.Phishing.Bank-246

ClamXav Scan Report

[Ronda Brown]

Hi WAMUGers,

I did a scan today using ClamXav 1.0.1  and ... yikes  2  
Infected Files.

I've never had this happen before.
From what I can find out about the HTML.Phishing.Bank-246 it's a
Trojan-Spy.HTML.Bankfraud.ht

Sounds very serious.
Has someone tried to get my Bank Account Details?

I have Trashed the Two Files !
 
--

Scan started: Sun Feb 26 13:46:28 2006

/Users/ronni/Library/Caches/Safari/01/00/3729113369-3986401291.cache:  
HTML.Phishing.Bank-246 FOUND
/Users/ronni/Library/Caches/Safari/13/00/2171875289-3523061511.cache:  
HTML.Phishing.Bank-246 FOUND


-- summary --
Known viruses: 45420
Engine version: 0.86.2
Scanned directories: 5170
Scanned files: 25365
Infected files: 2
Data scanned: 19216.02 MB
Time: 9070.693 sec (151 m 10 s)
 
--


Thanks for any information as to How & Why did has happened on my G4  
PowerBook OSX10.4.5.


Cheers,
Ronni
Car'n The Pies