Web lists-archives.com

Re: Virus hijacking Lightning calendar

Em 19-08-2018 11:17, Balaco ocalaB escreveu:
Em 19-08-2018 11:03, Knut Welle escreveu:
On Sunday, 19 August 2018 15:55:51 UTC+2, Balaco ocalaB  wrote:
Em 19-08-2018 10:53, Balaco ocalaB escreveu:
Em 19-08-2018 10:32, Knut Welle escreveu:
On Sunday, 19 August 2018 14:02:34 UTC+2, Balaco ocalaB  wrote:
Em 19-08-2018 07:39, Balaco ocalaB escreveu:
Em 16-08-2018 18:53, Knut Welle escreveu:
On Thursday, 16 August 2018 20:26:35 UTC+2, Balaco ocalaB  wrote:
Em 16-08-2018 07:13, Knut Welle escreveu:
I have been using Thunderbird for many years, mainly because
it has
been quite safe for virus. But now I have encounter the first
in Thunderbird. I't seems like the origin of the virus comes
from a
specific mail with the topic "Scam". The virus seems to hijack my
google calender and opens a dialog whenever Thunderbird is
It pretends it's a user inquiry from my ISP. It is not
possible to
fix this by simply deleting the google calender and reinstall
it. I
have a feeling that the add-on "Provider for Google Calendar"
also is

I still have the virus mail it anyone want to study it, but
you will
have to give me instructions on how to send it to avoid spreading
(maybe as a zip-file or a image of the text?)

Best regards,

With the message opened in TB, click on menu File > Save as >
choose the option "Messafe file", which has the .eml extension
other options I have now are text and HTML files). If your email
shown here is correct (is it?), I will send you a message
asking for
that EML file. You may attach it directly, or zip, if you prefer.
I can
check it, and maybe give you some information. Is that good for

Yes, my email address is correct.

I have sent you an email right now. I am sorry to let you waiting
3 days. It was just a common lack of time to check things around

I received and am checking your message right now. The .no domain is
yours, I guess?

The message itself it much simpler than I imagined!

In Thunderbird, do you use settings that load automatically any
content? (images)

And I think the message is not among the ones that may be trigger
confirmations of we reading the safe parts of it. I will make a new
thread for that question in a few minutes.


I had disbled "Options - Privacy - Mail Content - Allow remote content
in messages" to prevent automatic loading of remote content. What I
just realized is that the in the option "Options - Security -
Anti-Virus - Allow anti-virus client to quarantine individual incoming
messages" was not enabled.

I'm pretty sure that the mail I sent you is the origin of the virus,
but it can be that I'm totally wrong about it. I also noted that the
Add-On "Provider for Google Calendar" had it's update date set to the
same date as I received the virus.

Good that you had the "remove content" option disabled. And I think the
anti-virus option is not necessary, if you take care of your actions
with each message.

Please answer me one detail. Is the .no domain something owned by you?
Do you know what a domain is?

I am about to change you a modified EML file of your message, and I
all changes in it to make it safe for showing it here (or anywhere else

"remove content" should have been "remote content"...

"I am about to change you " should have been "I am about to SEND you "

Sorry for the strange "typos". LOL

Yes, the .no domain is owned by me. If you publish the mail, could you
please remove the content identifying my domain and the email-address?

I will not publish your message before showing you the changed version.
That was never my intention. I will sent my answer with it by email, and
you may copy its contents here, if you agree with my thoughts. Or you
may just answer that message saying you are fine with me sending the
exact same message to this newsgroup (with the EML file contents shown
as a quote, since it is just a text file, in the end).

The opinion of more people may add ideas about a few things I have some
doubt about. And people may know something about the domains the message
has. Myself, from Brasil, did not ever see those domains. First because
I receive very few spam messages. The very far place you live may also
attract different spammers, kind of naturally, I think.

"I will sent" should have been "I will send".

  1.a. Você quer fazer um comentário, mas não quer mostrar
       quem você é?
  1.b. Do you want to make a comment for me, but do not want
       to show who you are?

  2.a. Você pode fazê-lo aqui:
  2.b. You may do it here:

general mailing list