Hi everybody, Today I installed avast and the following happened:
1. I got a warning while scanning my .thunderbird/: "Virus 'HTML:Banker-D [Trj]" in following files: - ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Trash/PartNo_0#2351397450 - ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Trash - ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/ML-DebianWomen/PartNo_0#3121250411 - ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/ML-DebianWomen/ - ImapMail/mail.<passed-on-mail-address>/INBOX.sbd/Drafts/PartNo_0#1871746401 I shifted the files into the chest folder of avast. The files have the following size: Trash/PartNo_0#2351397450 -> HTML:Banker-D [Trj] = 4,2MB Trash -> HTML:Banker-D [Trj] = 4,2 MB ML-DebianWomen/PartNo_0#3121250411 -> HTML:Banker-D [Trj] = 2,9MB ML-DebianWomen -> HTML:Banker-D [Trj] = 2,9MB Drafts/PartNo_0#1871746401 -> HTML:Banker-D [Trj] = 154,8MB !! Now I have tried to find out, what kind of virus "Banker-D" is: "Troj/Banker-D is a key logging Trojan which emails the gathered information to an external email address. The Trojan copies itself to the Windows folder ..." From: http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankerd.html "nfostealer.Banker.D is a Trojan horse that steals banking information and opens a back door on the compromised computer. " From: http://www.symantec.com/security_response/writeup.jsp?docid=2007-052710-0541-99 Now I examined the mailing-list archive and my e-mail/junk log file and found out the following: 1. There are two spam-Mails on the list since November 2010, which have something in common with "banking": a) http://lists.debian.org/debian-women/2010/11/msg00005.html b) http://lists.debian.org/debian-women/2011/02/msg00003.html Both of them include a html-link. b) includes the links as an attachment: "Attachment: Update Your Account Information.html Description: application/html" And the target of the attachment-link is a binry file!!! (I interrupt the URL with blanks): http: //lists.debian.org/debian-women/2011/02/binPP79TIx7p7. bin First I wondered about a possible interrelationship between the file in the trash folder and the mailinglist and found out: I marked the mail in msg00005.html as spam and put it in my trash folder! Then I wondered about a possible interrelationship betrween the file of the mailinglist and the file in my drafts folder (of course: I do not write any mailes at any time with an attachement of about 155MB!!! But when I realized "The Trojan copies itself to the Windows folder" and if I consider that all attempts of "poor" trojan to find a windows folder on my computer were in vain, maybe the trojan leave it instead in my drafts folder?! What do you think about that? I will report the mails as spam (did not know before that it ist possible over the html-mailingarchive ... Best regards, Petra -- To UNSUBSCRIBE, email to debian-women-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d4dd94f.6090...@web.de
