Web lists-archives.com

Re: Virus hijacking Lightning calendar

Em 19-08-2018 11:03, Knut Welle escreveu:
On Sunday, 19 August 2018 15:55:51 UTC+2, Balaco ocalaB  wrote:
Em 19-08-2018 10:53, Balaco ocalaB escreveu:
Em 19-08-2018 10:32, Knut Welle escreveu:
On Sunday, 19 August 2018 14:02:34 UTC+2, Balaco ocalaB  wrote:
Em 19-08-2018 07:39, Balaco ocalaB escreveu:
Em 16-08-2018 18:53, Knut Welle escreveu:
On Thursday, 16 August 2018 20:26:35 UTC+2, Balaco ocalaB  wrote:
Em 16-08-2018 07:13, Knut Welle escreveu:
I have been using Thunderbird for many years, mainly because it has
been quite safe for virus. But now I have encounter the first virus
in Thunderbird. I't seems like the origin of the virus comes from a
specific mail with the topic "Scam". The virus seems to hijack my
google calender and opens a dialog whenever Thunderbird is started.
It pretends it's a user inquiry from my ISP. It is not possible to
fix this by simply deleting the google calender and reinstall it. I
have a feeling that the add-on "Provider for Google Calendar"
also is

I still have the virus mail it anyone want to study it, but you will
have to give me instructions on how to send it to avoid spreading
(maybe as a zip-file or a image of the text?)

Best regards,

With the message opened in TB, click on menu File > Save as > File,
choose the option "Messafe file", which has the .eml extension (the
other options I have now are text and HTML files). If your email
shown here is correct (is it?), I will send you a message asking for
that EML file. You may attach it directly, or zip, if you prefer.
I can
check it, and maybe give you some information. Is that good for you?

Yes, my email address is correct.

I have sent you an email right now. I am sorry to let you waiting
3 days. It was just a common lack of time to check things around here.

I received and am checking your message right now. The .no domain is
yours, I guess?

The message itself it much simpler than I imagined!

In Thunderbird, do you use settings that load automatically any remote
content? (images)

And I think the message is not among the ones that may be trigger remote
confirmations of we reading the safe parts of it. I will make a new
thread for that question in a few minutes.


I had disbled "Options - Privacy - Mail Content - Allow remote content
in messages" to prevent automatic loading of remote content. What I
just realized is that the in the option "Options - Security -
Anti-Virus - Allow anti-virus client to quarantine individual incoming
messages" was not enabled.

I'm pretty sure that the mail I sent you is the origin of the virus,
but it can be that I'm totally wrong about it. I also noted that the
Add-On "Provider for Google Calendar" had it's update date set to the
same date as I received the virus.

Good that you had the "remove content" option disabled. And I think the
anti-virus option is not necessary, if you take care of your actions
with each message.

Please answer me one detail. Is the .no domain something owned by you?
Do you know what a domain is?

I am about to change you a modified EML file of your message, and I made
all changes in it to make it safe for showing it here (or anywhere else

"remove content" should have been "remote content"...

"I am about to change you " should have been "I am about to SEND you "

Sorry for the strange "typos". LOL

Yes, the .no domain is owned by me. If you publish the mail, could you please remove the content identifying my domain and the email-address?

I will not publish your message before showing you the changed version. That was never my intention. I will sent my answer with it by email, and you may copy its contents here, if you agree with my thoughts. Or you may just answer that message saying you are fine with me sending the exact same message to this newsgroup (with the EML file contents shown as a quote, since it is just a text file, in the end).

The opinion of more people may add ideas about a few things I have some doubt about. And people may know something about the domains the message has. Myself, from Brasil, did not ever see those domains. First because I receive very few spam messages. The very far place you live may also attract different spammers, kind of naturally, I think.

  1.a. Você quer fazer um comentário, mas não quer mostrar
       quem você é?
  1.b. Do you want to make a comment for me, but do not want
       to show who you are?

  2.a. Você pode fazê-lo aqui:
  2.b. You may do it here:

general mailing list