Web lists-archives.com

Re: Virus hijacking Lightning calendar

On Sunday, 19 August 2018 14:02:34 UTC+2, Balaco ocalaB  wrote:
> Em 19-08-2018 07:39, Balaco ocalaB escreveu:
> > Em 16-08-2018 18:53, Knut Welle escreveu:
> >> On Thursday, 16 August 2018 20:26:35 UTC+2, Balaco ocalaB  wrote:
> >>> Em 16-08-2018 07:13, Knut Welle escreveu:
> >>>> I have been using Thunderbird for many years, mainly because it has
> >>>> been quite safe for virus. But now I have encounter the first virus
> >>>> in Thunderbird. I't seems like the origin of the virus comes from a
> >>>> specific mail with the topic "Scam". The virus seems to hijack my
> >>>> google calender and opens a dialog whenever Thunderbird is started.
> >>>> It pretends it's a user inquiry from my ISP. It is not possible to
> >>>> fix this by simply deleting the google calender and reinstall it. I
> >>>> have a feeling that the add-on "Provider for Google Calendar" also is
> >>>> infected.
> >>>>
> >>>> I still have the virus mail it anyone want to study it, but you will
> >>>> have to give me instructions on how to send it to avoid spreading
> >>>> (maybe as a zip-file or a image of the text?)
> >>>>
> >>>> Best regards,
> >>>
> >>> With the message opened in TB, click on menu File > Save as > File,
> >>> choose the option "Messafe file", which has the .eml extension (the
> >>> other options I have now are text and HTML files). If your email address
> >>> shown here is correct (is it?), I will send you a message asking for
> >>> that EML file. You may attach it directly, or zip, if you prefer. I can
> >>> check it, and maybe give you some information. Is that good for you?
> >>>
> >>
> >> Yes, my email address is correct.
> >>
> >
> > I have sent you an email right now. I am sorry to let you waiting almost
> > 3 days. It was just a common lack of time to check things around here.
> >
> >
> I received and am checking your message right now. The .no domain is 
> yours, I guess?
> The message itself it much simpler than I imagined!
> In Thunderbird, do you use settings that load automatically any remote 
> content? (images)
> And I think the message is not among the ones that may be trigger remote 
> confirmations of we reading the safe parts of it. I will make a new 
> thread for that question in a few minutes.
> -- 
> =
>    1.a. Você quer fazer um comentário, mas não quer mostrar
>         quem você é?
>    1.b. Do you want to make a comment for me, but do not want
>         to show who you are?
>    2.a. Você pode fazê-lo aqui:
>    2.b. You may do it here:
>    https://queroouvir.sarahah.com/


I had disbled "Options - Privacy - Mail Content - Allow remote content in messages" to prevent automatic loading of remote content. What I just realized is that the in the option "Options - Security - Anti-Virus - Allow anti-virus client to quarantine individual incoming messages" was not enabled.

I'm pretty sure that the mail I sent you is the origin of the virus, but it can be that I'm totally wrong about it. I also noted that the Add-On "Provider for Google Calendar" had it's update date set to the same date as I received the virus.
general mailing list