Web lists-archives.com

Re: Virus hijacking Lightning calendar

Em 19-08-2018 10:32, Knut Welle escreveu:
On Sunday, 19 August 2018 14:02:34 UTC+2, Balaco ocalaB  wrote:
Em 19-08-2018 07:39, Balaco ocalaB escreveu:
Em 16-08-2018 18:53, Knut Welle escreveu:
On Thursday, 16 August 2018 20:26:35 UTC+2, Balaco ocalaB  wrote:
Em 16-08-2018 07:13, Knut Welle escreveu:
I have been using Thunderbird for many years, mainly because it has
been quite safe for virus. But now I have encounter the first virus
in Thunderbird. I't seems like the origin of the virus comes from a
specific mail with the topic "Scam". The virus seems to hijack my
google calender and opens a dialog whenever Thunderbird is started.
It pretends it's a user inquiry from my ISP. It is not possible to
fix this by simply deleting the google calender and reinstall it. I
have a feeling that the add-on "Provider for Google Calendar" also is

I still have the virus mail it anyone want to study it, but you will
have to give me instructions on how to send it to avoid spreading
(maybe as a zip-file or a image of the text?)

Best regards,

With the message opened in TB, click on menu File > Save as > File,
choose the option "Messafe file", which has the .eml extension (the
other options I have now are text and HTML files). If your email address
shown here is correct (is it?), I will send you a message asking for
that EML file. You may attach it directly, or zip, if you prefer. I can
check it, and maybe give you some information. Is that good for you?

Yes, my email address is correct.

I have sent you an email right now. I am sorry to let you waiting almost
3 days. It was just a common lack of time to check things around here.

I received and am checking your message right now. The .no domain is
yours, I guess?

The message itself it much simpler than I imagined!

In Thunderbird, do you use settings that load automatically any remote
content? (images)

And I think the message is not among the ones that may be trigger remote
confirmations of we reading the safe parts of it. I will make a new
thread for that question in a few minutes.


I had disbled "Options - Privacy - Mail Content - Allow remote content in messages" to prevent automatic loading of remote content. What I just realized is that the in the option "Options - Security - Anti-Virus - Allow anti-virus client to quarantine individual incoming messages" was not enabled.

I'm pretty sure that the mail I sent you is the origin of the virus, but it can be that I'm totally wrong about it. I also noted that the Add-On "Provider for Google Calendar" had it's update date set to the same date as I received the virus.

Good that you had the "remove content" option disabled. And I think the anti-virus option is not necessary, if you take care of your actions with each message.

Please answer me one detail. Is the .no domain something owned by you? Do you know what a domain is?

I am about to change you a modified EML file of your message, and I made all changes in it to make it safe for showing it here (or anywhere else public).

  1.a. Você quer fazer um comentário, mas não quer mostrar
       quem você é?
  1.b. Do you want to make a comment for me, but do not want
       to show who you are?

  2.a. Você pode fazê-lo aqui:
  2.b. You may do it here:

general mailing list