Go Back   Steve's Digicams Forums > Digicam Help > General Discussion

Reply
 
Thread Tools Search this Thread
Old Nov 4, 2009, 3:17 AM   #1
Senior Member
 
kazuya's Avatar
 
Join Date: Sep 2008
Posts: 1,006
Default 99% sure its a phish/scam/virus

i recieved this email today

Hi kazuya1337,
There are new comments to your photos in Panoramio: (genuine link)

Jan Caverly said:
Beautiful shot. Nice tribute to the author. One of my favorites. I see that you are a cool photographer. I need your advice. I put the self-extracting archive of photographs of my young beautiful wife on my homepage. [Please see these photos.](ive altered and disabled link)
. Decently I will put these photographs on Panoramio? Thank you!


ive cut a big chunk out of the middle of the link to stop anyone accidently clicking it because i think its dodgy, mainly because it points to a .exe

im posting this for
a: to get your opinions if u think its virus or something and
b: as a warning in case anyone else gets something similar

Dave
kazuya is offline   Reply With Quote
Sponsored Links
Old Nov 4, 2009, 4:30 AM   #2
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Actually, you didn't disable the link (it was working). ;-)

You only edited the text that was displayed, not the underlying link in the url tags. The entire link was still there (and allowed you to download the infected photos.exe) if you clicked on the edited text.

I've now removed it

That file (photos.exe) is a trojan (TR/Downloader.GEN is how Avira identifies it).
JimC is offline   Reply With Quote
Old Nov 4, 2009, 10:06 AM   #3
Senior Member
 
kazuya's Avatar
 
Join Date: Sep 2008
Posts: 1,006
Default

opps sorry Doh!
thanks for that JimC.
kazuya is offline   Reply With Quote
Old Nov 4, 2009, 10:24 AM   #4
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Another way to check a file is using the upload facility at http://www.virustotal.com/ (it runs the file through a number of virus scan engines to see if it's recognized by one of them). Of course, you want to make sure you don't run the program you want to check (and in this case, that .exe file contained a trojan).

If you're running malware protection, it might catch that one.

For example, Avira Antivir will pop up a warning screen about it immediately if you right click on it to save it without running it. But, you can never be too safe, as sometimes new malware is not recognized by malware scanners (as they don't know what to look for yet). I tend to run multiple malware scanners under both Linux and Windows to help protect against infection. But, none of them are foolproof. So, I'd only trust executable files from trusted sources if they don't raise any alarm bells when submitted to virus scan engines for testing (and then, only trust them so far).

In the case of this file, 10 out of 41 malware scanners recognized it as malware (meaning over 30 malware scanners did not recognize it). IOW, be very careful, even if the malware/virus protection you're using doesn't think it's malware, as it may not know what to look for yet. ;-)
JimC is offline   Reply With Quote
Old Nov 4, 2009, 11:28 AM   #5
Senior Member
 
kazuya's Avatar
 
Join Date: Sep 2008
Posts: 1,006
Default

i didnt even download it, just to be safe, i dont trust .exe files either unless i know where they are from.
ive also deleted the comment on panoramio so nobody else clicks it.
kazuya is offline   Reply With Quote
Old Nov 4, 2009, 1:00 PM   #6
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

I tend to run Linux most of the time as an added safeguard, since most malware is going to target Windows.

I do boot into Windows about once per week or so to check for updates to Windows, Browser Plugins, Virus Scan Engines, etc. It never ceases to amaze me at some of the malware a new scan engine update will find, even though it was missed for a long time.

Actually, I think Avira Antvir found that same trojan (or a similar one anyway) a few weeks back on a drive I use for data storage, after I updated it's definitions and performed a full scan; only it was named camera.exe versus photos.exe. I think it had been on that drive for a long time (but, products I use for regular scans like Spybot S&D, Avira, F-Prot, Malwarebytes, etc., didn't know how to recognize it and missed it during previous scans). I'm not sure where it came from.

In the case of the one you linked to, a number of popular malware scanners don't recognize it yet, although 10 out of 41 did flag it when running it through http://www.virustotal.com


Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.04 -
AhnLab-V3 5.0.0.2 2009.11.04 -
AntiVir 7.9.1.53 2009.11.04 TR/Downloader.Gen
Antiy-AVL 2.0.3.7 2009.11.04 -
Authentium 5.2.0.5 2009.11.04 -
Avast 4.8.1351.0 2009.11.03 -
AVG 8.5.0.423 2009.11.04 -
BitDefender 7.2 2009.11.04 -
CAT-QuickHeal 10.00 2009.11.04 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.11.04 -
Comodo 2837 2009.11.04 -
DrWeb 5.0.0.12182 2009.11.04 DLOADER.Trojan
eSafe 7.0.17.0 2009.11.03 Suspicious File
eTrust-Vet 35.1.7101 2009.11.04 -
F-Prot 4.5.1.85 2009.11.04 -
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.04 -
GData 19 2009.11.04 -
Ikarus T3.1.1.74.0 2009.11.04 -
Jiangmin 11.0.800 2009.11.04 -
K7AntiVirus 7.10.887 2009.11.03 -
Kaspersky 7.0.0.125 2009.11.04 Trojan.Win32.Agent.dbdr
McAfee 5791 2009.11.03 -
McAfee+Artemis 5791 2009.11.03 Artemis!CCB97467D208
McAfee-GW-Edition 6.8.5 2009.11.04 Trojan.Downloader.Gen
Microsoft 1.5202 2009.11.04 -
NOD32 4573 2009.11.04 -
Norman 6.03.02 2009.11.04 -
nProtect 2009.1.8.0 2009.11.04 -
Panda 10.0.2.2 2009.11.03 Suspicious file
PCTools 7.0.3.5 2009.11.04 -
Prevx 3.0 2009.11.04 -
Rising 21.54.24.00 2009.11.04 Trojan.DL.Win32.Downloader.GEN
Sophos 4.47.0 2009.11.04 -
Sunbelt 3.2.1858.2 2009.11.04 -
Symantec 1.4.4.12 2009.11.04 Trojan Horse
TheHacker 6.5.0.2.060 2009.11.04 -
TrendMicro 9.0.0.1003 2009.11.04 -
VBA32 3.12.10.11 2009.11.03 -
ViRobot 2009.11.4.2021 2009.11.04 -
VirusBuster 4.6.5.0 2009.11.03 -
JimC is offline   Reply With Quote
Old Nov 4, 2009, 3:13 PM   #7
Senior Member
 
Ordo's Avatar
 
Join Date: Jul 2009
Location: BsAs
Posts: 3,452
Default

Jim: i'm having a serious infection which totally inhabilitated my keyboard (i'm using on screen keyboard). When i type any letter a radom set of characters appear. Any clue?
Ordo is offline   Reply With Quote
Old Nov 4, 2009, 3:21 PM   #8
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

That could be caused by the keyboard map being used versus any kind of malware.

But, have you tried a different keyboard to rule out a mechanical problem (i.e., a bad keyboard)?
JimC is offline   Reply With Quote
Old Nov 4, 2009, 4:40 PM   #9
Senior Member
 
Ordo's Avatar
 
Join Date: Jul 2009
Location: BsAs
Posts: 3,452
Default

This is a bios virus. Changed keyboards, cleanned with Norton 2010, Avira, AVG, etc. A disaster. First time in my life, but not cause of this site. My wrong.
Ordo is offline   Reply With Quote
Old Nov 4, 2009, 4:52 PM   #10
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Quote:
This is a bios virus.
That's unlikely.

Chances are, something just messed up the keyboard map being used by the operating system. IOW, how the Operating System is interpreting the keys you press may have been modified. In most cases, it's just the wrong language selected in Control Panel. Here's one article about keyboard mapping in Windows:

http://www.annoyances.org/exec/show/article02-022

To verify you don't have a hardware issue, you could always boot into a Linux Live CD (bypassing your Windows install by running an operating system from CD instead).

Mepis 8.0 is one free distro that can run from CD (just download the .iso file for the lastest 8.0.10 version, burn it to CD using a utility that knows how to burn the .iso image to CD, then boot into the CD (restart your PC with the CD selected as the first boot drive to load it).

http://www.mepis.org

If the keyboard works fine in Linux, it's probably an operating system issue (most likely related to the keyboard mapping). If so (the operating system is the issue), and you can't solve it otherwise (checking the language for the keyboard in control panel, etc.) you could reinstall Windows from scratch if necessary.
JimC is offline   Reply With Quote
 
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -5. The time now is 11:59 PM.