Web lists-archives.com

Re: Virus hijacking Lightning calendar




On Sunday, 19 August 2018 15:55:51 UTC+2, Balaco ocalaB  wrote:
> Em 19-08-2018 10:53, Balaco ocalaB escreveu:
> > Em 19-08-2018 10:32, Knut Welle escreveu:
> >> On Sunday, 19 August 2018 14:02:34 UTC+2, Balaco ocalaB  wrote:
> >>> Em 19-08-2018 07:39, Balaco ocalaB escreveu:
> >>>> Em 16-08-2018 18:53, Knut Welle escreveu:
> >>>>> On Thursday, 16 August 2018 20:26:35 UTC+2, Balaco ocalaB  wrote:
> >>>>>> Em 16-08-2018 07:13, Knut Welle escreveu:
> >>>>>>> I have been using Thunderbird for many years, mainly because it has
> >>>>>>> been quite safe for virus. But now I have encounter the first virus
> >>>>>>> in Thunderbird. I't seems like the origin of the virus comes from a
> >>>>>>> specific mail with the topic "Scam". The virus seems to hijack my
> >>>>>>> google calender and opens a dialog whenever Thunderbird is started.
> >>>>>>> It pretends it's a user inquiry from my ISP. It is not possible to
> >>>>>>> fix this by simply deleting the google calender and reinstall it. I
> >>>>>>> have a feeling that the add-on "Provider for Google Calendar"
> >>>>>>> also is
> >>>>>>> infected.
> >>>>>>>
> >>>>>>> I still have the virus mail it anyone want to study it, but you will
> >>>>>>> have to give me instructions on how to send it to avoid spreading
> >>>>>>> (maybe as a zip-file or a image of the text?)
> >>>>>>>
> >>>>>>> Best regards,
> >>>>>>
> >>>>>> With the message opened in TB, click on menu File > Save as > File,
> >>>>>> choose the option "Messafe file", which has the .eml extension (the
> >>>>>> other options I have now are text and HTML files). If your email
> >>>>>> address
> >>>>>> shown here is correct (is it?), I will send you a message asking for
> >>>>>> that EML file. You may attach it directly, or zip, if you prefer.
> >>>>>> I can
> >>>>>> check it, and maybe give you some information. Is that good for you?
> >>>>>>
> >>>>>
> >>>>> Yes, my email address is correct.
> >>>>>
> >>>>
> >>>> I have sent you an email right now. I am sorry to let you waiting
> >>>> almost
> >>>> 3 days. It was just a common lack of time to check things around here.
> >>>>
> >>>>
> >>>
> >>> I received and am checking your message right now. The .no domain is
> >>> yours, I guess?
> >>>
> >>> The message itself it much simpler than I imagined!
> >>>
> >>> In Thunderbird, do you use settings that load automatically any remote
> >>> content? (images)
> >>>
> >>> And I think the message is not among the ones that may be trigger remote
> >>> confirmations of we reading the safe parts of it. I will make a new
> >>> thread for that question in a few minutes.
> >>>
> >>>
> >>
> >> ------------------------------------------------------
> >>
> >> I had disbled "Options - Privacy - Mail Content - Allow remote content
> >> in messages" to prevent automatic loading of remote content. What I
> >> just realized is that the in the option "Options - Security -
> >> Anti-Virus - Allow anti-virus client to quarantine individual incoming
> >> messages" was not enabled.
> >>
> >> I'm pretty sure that the mail I sent you is the origin of the virus,
> >> but it can be that I'm totally wrong about it. I also noted that the
> >> Add-On "Provider for Google Calendar" had it's update date set to the
> >> same date as I received the virus.
> >>
> >
> > Good that you had the "remove content" option disabled. And I think the
> > anti-virus option is not necessary, if you take care of your actions
> > with each message.
> >
> > Please answer me one detail. Is the .no domain something owned by you?
> > Do you know what a domain is?
> >
> > I am about to change you a modified EML file of your message, and I made
> > all changes in it to make it safe for showing it here (or anywhere else
> > public).
> >
> 
> "remove content" should have been "remote content"...
> 
> "I am about to change you " should have been "I am about to SEND you "
> 
> Sorry for the strange "typos". LOL
> 
> 
> -- 
> =
>    1.a. Você quer fazer um comentário, mas não quer mostrar
>         quem você é?
>    1.b. Do you want to make a comment for me, but do not want
>         to show who you are?
> 
>    2.a. Você pode fazê-lo aqui:
>    2.b. You may do it here:
> 
>    https://queroouvir.sarahah.com/

Yes, the .no domain is owned by me. If you publish the mail, could you please remove the content identifying my domain and the email-address?
_______________________________________________
general mailing list
general@xxxxxxxxxxxxxxxxx
https://lists.mozilla.org/listinfo/general