Author Topic: E- Mail worm  (Read 4712 times)

Offline Dick Miller

  • TS Addict
  • *****
  • Posts: 623
    • View Profile
    • http://
E- Mail worm
« on: July 02, 2010, 06:45:41 PM »
I seem to have picked up an e-mail worm on my IMac. It has been sending e-mails to people in my address book. I downloaded clamx-av and ran it and it said I had a worm called bagel I ran the scan again and had it quarantine the worm and then secure empty the trash. Next day it's back, so I went to the Apple store and got a copy of Virus Barrier 6 it found nothing and everything was fine for a couple of days, now today it's back. Two days ago I trashed all my e-mails and my address book and the Mac has been turned OFF for two days. Any ideas on how they can send e-mails from a computer that isn't even turned on ? HELP  Thinking.gif
27" Imac core I7 3.4 GHZ
8gb ram
Nvidia GTX 680 mx 2gb
10.8.2

24" IMac Core 2 Duo 3.06 Ghz
2gb ram / 500gb HD
Nvidia 8800 cs  512 mb
10.6.3

IMac G5 20" 2.1 Ghz
10.4.9

Offline kbeartx

  • TS Addict
  • Posts: 6772
    • View Profile
    • http://
E- Mail worm
« Reply #1 on: July 02, 2010, 09:43:05 PM »
What's your e-mail client?

Kb cool.gif

Offline Dick Miller

  • TS Addict
  • *****
  • Posts: 623
    • View Profile
    • http://
E- Mail worm
« Reply #2 on: July 02, 2010, 10:02:23 PM »
Thunderbird. It's AT&T Yahoo mail.
« Last Edit: July 02, 2010, 10:05:54 PM by Dick Miller »
27" Imac core I7 3.4 GHZ
8gb ram
Nvidia GTX 680 mx 2gb
10.8.2

24" IMac Core 2 Duo 3.06 Ghz
2gb ram / 500gb HD
Nvidia 8800 cs  512 mb
10.6.3

IMac G5 20" 2.1 Ghz
10.4.9

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26347
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
E- Mail worm
« Reply #3 on: July 02, 2010, 10:10:37 PM »
Who says they are coming from your computer? How did they determine that? Did you investigate what "bagel" does?

Just because someone gets a message that has your "From:" address on them means next to nothing. Any of your PC buddies could much more easily have this kind of virus, using their address book and putting your address in the "From:" box. Of course, only those who really know you would tell you that they are getting stuff from "you." Thinking.gif

As a matter of fact, I suspect the "bagel" came from the same computer that is actually sending these messages. But, just because ClamX finds it, doesn't mean it would even run on your Mac, unless, of course, you are also running Windows. nono.gif As far as I can tell, it's a Windows worm. No problem. Except that if it was in a message that you forwarded, their Windows machine could get infected. So far, the only reason to scan email messages, at least those that you forward, is to remove any worms/virus that might be in them. And that's just to be kind to our Windows brethren. tiphat.gif

Just a few weeks ago, I had Comcast tell me that I had exceeded my quota of sent messages in a 24 hour period. I didn't bother asking them to prove it since I never even use their smtp server, nor even their POP one. I simply deleted the Comcast account from Mail and no longer had to see the "!" indicating that they had cut me off temporarily. The hoops needed to jump through to convince them that they didn't come from me would be a waste of time since I wouldn't gain anything from the exercise. rolleyes.gif Perhaps I should  contact them and see if I'm still cluttering up their server? Maybe next month... rolleyes.gif
« Last Edit: July 02, 2010, 10:16:12 PM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline Dick Miller

  • TS Addict
  • *****
  • Posts: 623
    • View Profile
    • http://
E- Mail worm
« Reply #4 on: July 03, 2010, 12:53:09 PM »
Ok how did it get all the address from my address book ?
27" Imac core I7 3.4 GHZ
8gb ram
Nvidia GTX 680 mx 2gb
10.8.2

24" IMac Core 2 Duo 3.06 Ghz
2gb ram / 500gb HD
Nvidia 8800 cs  512 mb
10.6.3

IMac G5 20" 2.1 Ghz
10.4.9

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26347
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
E- Mail worm
« Reply #5 on: July 03, 2010, 09:11:22 PM »
QUOTE
Ok how did it get all the address from my address book ?
Are you sure that all those people got messages? Or just those who are mutual friends of someone in your list.

I'm betting that the only addresses that were in your address book that got these messages are the ones that were also in the address book of the friend who has the worm. The mutual friends who told you they got the messages think they came from you because your name is in the "From:" section. As far as I know, there is no known worm, in the wild, that will operate on the Mac OS. However, there are known trojans. But, all bets are off, if you download and install one of those.

Of course, if you are also running Windows (dual boot) that OS can be infected, just like any other Windows machine. The good part, is that even if that partition is infected, it still won't bother your Mac area.
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline Dick Miller

  • TS Addict
  • *****
  • Posts: 623
    • View Profile
    • http://
E- Mail worm
« Reply #6 on: July 03, 2010, 09:55:38 PM »
They were my e-mail address from my address book. What ever it was it is no longer on my Mac, but it still has my address and is spoofing my return address.
27" Imac core I7 3.4 GHZ
8gb ram
Nvidia GTX 680 mx 2gb
10.8.2

24" IMac Core 2 Duo 3.06 Ghz
2gb ram / 500gb HD
Nvidia 8800 cs  512 mb
10.6.3

IMac G5 20" 2.1 Ghz
10.4.9

Offline krissel

  • Administrator
  • TS Addict
  • *****
  • Posts: 14721
    • View Profile
E- Mail worm
« Reply #7 on: July 04, 2010, 02:38:43 AM »
When you say you have ATT Yahoo mail does that mean you keep your email on the server? Is this an IMAP account? Do you have an address book on the Yahoo account?  

Could the worm have infected the Yahoo account's server and is thereby using the addresses it finds there?


A Techsurvivors founder

Offline Dick Miller

  • TS Addict
  • *****
  • Posts: 623
    • View Profile
    • http://
E- Mail worm
« Reply #8 on: July 04, 2010, 09:28:36 AM »
Krissel; I use Thunderbird to read my mail and every couple of days I delete the mail on the server. Much to my surprise, I found an address book on the server. I deleted all of the address from it. Not sure what an IMAP account is. Don't know how to get rid of the worm if it's on the server.
27" Imac core I7 3.4 GHZ
8gb ram
Nvidia GTX 680 mx 2gb
10.8.2

24" IMac Core 2 Duo 3.06 Ghz
2gb ram / 500gb HD
Nvidia 8800 cs  512 mb
10.6.3

IMac G5 20" 2.1 Ghz
10.4.9

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26347
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
E- Mail worm
« Reply #9 on: July 04, 2010, 04:48:28 PM »
QUOTE
Thunderbird. It's AT&T Yahoo mail.
Oops! blush-anim-cl.gif I completely missed that. So, it's not the address book that is on your Mac. It's the one on the Yahoo server. Never kept an address book off my local drive...no control and all that...same reason I don't store my important files on-line! At any rate, there's definitely no worm 'burrowing' on your Mac.

BTW, by not downloading your messages, they are still on the server at Yahoo. That can be handy if you travel with one computer and normally use another at home. OTOH, you may actually be downloading your messages and have set up Thunderbird to delete them in a certain amount of time. dntknw.gif IMAP stands for Internet Multiple Access Protocol. No, wait...it's Interesting Mail Accumulation Process. NOT! eek2.gif tongue.gif I really don't even care enough to look it up! blush-anim-cl.gif

While I have one IMAP account (mac.com) I use their POP server and when I read a message on my iMac, but the IMAP server when I access it from the iPhone. The advantage is you don't have to worry about your mail box filling up and not getting messages because of that. Of course, that's not much of  an advantage now with most ISPs offering ever more space.

« Last Edit: July 04, 2010, 04:51:57 PM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline Paddy

  • Administrator
  • TS Addict
  • *****
  • Posts: 13791
    • View Profile
    • https://www.paddyduncan.com
E- Mail worm
« Reply #10 on: July 04, 2010, 11:09:55 PM »
OK...let's get a few things straight, here. The Bagle/Beagle (not "bagel") worm doesn't affect Macs. ClamAvX may have found it on your Mac, Dick, but it cannot run on a Mac. It's an executable file that runs on Windows.

http://www.sophos.com/security/analyses/vi.../w32bagleo.html (click on the "more information" tab)

There are many, many variants of this particular worm - it's been around for at least 7 years now.

What exactly makes you think that you are the source of the emails and how many of your friends have received them? Typically, these worms spoof the "from" address - they aren't actually sent from your computer, but from the computer of someone you know who has you in their address book. If you've sent an email to a whole bunch of people that you know, then one of them may be infected; the worm just picked up all the addresses from the email you sent. It doesn't just use email address books, but scans the drive.

I would be very surprised if Yahoo is somehow infected - they would have good anti-virus software in place and this isn't a new worm by any means.

"If computers get too powerful, we can organize them into committees. That'll do them in." ~Author unknown •iMac 5K, 27" 3.6Ghz i9 (2019) • 16" M1 MBP(2021) • 9.7" iPad Pro • iPhone 13

Offline tacit

  • TS Addict
  • *****
  • Posts: 1628
    • View Profile
    • http://www.xeromag.com/
E- Mail worm
« Reply #11 on: July 05, 2010, 02:38:45 AM »
Your Mac is not infected, and never was infected. The Bagle worm only affects Windows. It can not infect Macs. You had it on your Mac because someone who was infected emailed it to you, but because it is a Windows virus it was never active and didn't do anything on your Mac.

However, your email has been compromised, but not by a computer virus.

Eastern European hackers have been attacking Yahoo, Hotmail, AOL, and other free email services. They aren't using a virus; the attack is much simpler than that. They run a program that tries to guess your email password.

If oyu do not use a secure, strong email password, eventually the program will be able to guess it. Once it guesses your email password, the hackers have access to your address book that is on the email server, and they use your hacked email account to send spam to all the people in your email address book.

The way to avoid this problem is to use a strong email password. Now that you have been hacked, it is important that you change your email password immediately. Use a strong password that has upper and lowercase letters and numbers; never use a simple word that is in the dictionary for an email password.
A whole lot about me: www.xeromag.com/franklin.html

Offline Dick Miller

  • TS Addict
  • *****
  • Posts: 623
    • View Profile
    • http://
E- Mail worm
« Reply #12 on: July 05, 2010, 09:27:04 AM »
Thanks for all the great info everyone. It all makes sense now. I have changed my e-mail password and deleted my address book, hopefully I am done with this now.
27" Imac core I7 3.4 GHZ
8gb ram
Nvidia GTX 680 mx 2gb
10.8.2

24" IMac Core 2 Duo 3.06 Ghz
2gb ram / 500gb HD
Nvidia 8800 cs  512 mb
10.6.3

IMac G5 20" 2.1 Ghz
10.4.9

Offline Paddy

  • Administrator
  • TS Addict
  • *****
  • Posts: 13791
    • View Profile
    • https://www.paddyduncan.com
E- Mail worm
« Reply #13 on: July 05, 2010, 10:42:04 AM »
My GMail account was hacked recently, so I changed the PW and deleted the address book and all the email too, since I use POP and it was already on my Mac and backed up. I've also seen signs of a couple of other of my friends having been hacked, judging by the weird emails I've received.
"If computers get too powerful, we can organize them into committees. That'll do them in." ~Author unknown •iMac 5K, 27" 3.6Ghz i9 (2019) • 16" M1 MBP(2021) • 9.7" iPad Pro • iPhone 13

Offline kimmer

  • Administrator
  • TS Addict
  • *****
  • Posts: 9086
    • View Profile
E- Mail worm
« Reply #14 on: July 05, 2010, 01:32:08 PM »
Good advice to change those passwords periodically. smile.gif