Jump to content

Strange mail...


jem2768
 Share

Recommended Posts

Maybe one of you guys can help... something very strange is going on with my home PC (Windows XP) from time to time and I dunno what it is.

I have Outlook Express as my mail reader, along with Norton Antivirus (up-to-date definitions) scanning incoming and outgoing mail.

A few times I've been sitting at the PC and all of a sudden, in the bottom right corner the NAV outbound mail scanner window pops up, scans a mail and then disappears again.

Now, I know *I* haven't sent a mail, and I also haven't received a mail... so what could be doing it? How can I identify what could be doing it?

Sounds to me like a virus / trojan of some sort and I've run AdAware and Spybot on it but nothing is showing up.

Any ideas? For the first time I'm starting to get virus infected mails in my home mail account and I get the funny feeling my PC may be sending out random mails with my return address.... scarey stuff...

Link to comment
Share on other sites

Nah, it's not outlook - the popup is from Norton Antivirus and says it's scanning a mail. So definitely something has been sent outwards. It doesn't pop up on a routine scan unless something is transferred... otherwise I'd see it every few minutes which I don't.

Keep 'em coming though, someone must have an idea how I can sort this?

Link to comment
Share on other sites

I'll give that a shot tonight... however, as my Antivirus is already Norton and is up-to-date I doubt it's gonna spot anything above and beyond the installed version.

Any idea how I can log outgoing mails? e.g. something that would sit and monitor the TCP/IP for outgoing mail messages and sniff the data into a file? Just a thought...

Link to comment
Share on other sites

[ QUOTE ]

I'll give that a shot tonight... however, as my Antivirus is already Norton and is up-to-date I doubt it's gonna spot anything above and beyond the installed version.

Any idea how I can log outgoing mails? e.g. something that would sit and monitor the TCP/IP for outgoing mail messages and sniff the data into a file? Just a thought...

[/ QUOTE ]

I see what you mean Jem, but the reason I use the version on the Symantac site is that I always think that if I were designing a virus the first thing I would do would be to make it disable or work WITH Norton so that it goes about its work undetected.

In the unlikely scenario that your Norton was compromised, the remote check would help you I think.

See where I’m coming from?

There is something to monitor TCP/IP – I have it at home and will get the name, but it doesn’t make logs so you’ll have to watch it yourself. Plus I’m not sure you’ll be able to distinguish between a “check mail” request to a server and a genuine mail being sent. The real geeks will set you right on that.

The other thing is – stick your hotmail address in your address book. If you do have a remote parasite sending mails from your machine then its got to be sending them somewhere. Chances are it will be eating your address book, so sticking an email of yours in there should turn up an email. Also, have any friends been in touch re strange emails?

Link to comment
Share on other sites

[ QUOTE ]

[ QUOTE ]

I'll give that a shot tonight... however, as my Antivirus is already Norton and is up-to-date I doubt it's gonna spot anything above and beyond the installed version.

Any idea how I can log outgoing mails? e.g. something that would sit and monitor the TCP/IP for outgoing mail messages and sniff the data into a file? Just a thought...

[/ QUOTE ]

I see what you mean Jem, but the reason I use the version on the Symantac site is that I always think that if I were designing a virus the first thing I would do would be to make it disable or work WITH Norton so that it goes about its work undetected.

In the unlikely scenario that your Norton was compromised, the remote check would help you I think.

See where I’m coming from?

[/ QUOTE ]

Indeedy, thinking about it, something strange has happened with my Norton, it's been asking me regularly (like every couple of days) to update my definitions... hmmmmmm

[ QUOTE ]

There is something to monitor TCP/IP – I have it at home and will get the name, but it doesn’t make logs so you’ll have to watch it yourself. Plus I’m not sure you’ll be able to distinguish between a “check mail” request to a server and a genuine mail being sent. The real geeks will set you right on that.

The other thing is – stick your hotmail address in your address book. If you do have a remote parasite sending mails from your machine then its got to be sending them somewhere. Chances are it will be eating your address book, so sticking an email of yours in there should turn up an email. Also, have any friends been in touch re strange emails?

[/ QUOTE ]

Good idea, I'll try that. And no, noone's got strange emails from me... I just seem to finally be picking up viral mails from unknown people, which is something I haven't had happen in the past... 20 months, of this mail account... but is hardly unexpected! laugh.gif

I'll let ya know how I get along with norton tonight.

Link to comment
Share on other sites

[ QUOTE ]

I see what you mean Jem, but the reason I use the version on the Symantac site is that I always think that if I were designing a virus the first thing I would do would be to make it disable or work WITH Norton so that it goes about its work undetected.

[/ QUOTE ]

So don't use any Norton - the one on the web site is just an ActiveX packaged version of the same underlying code no doubt, so it too may be able to be avoided by a virus. Try Stinger from http://vil.nai.com/vil/stinger/

[ QUOTE ]

There is something to monitor TCP/IP

[/ QUOTE ]

Try TCPVIEW from http://www.sysinternals.com/

[ QUOTE ]

I’m not sure you’ll be able to distinguish between a “check mail” request to a server and a genuine mail being sent. The real geeks will set you right on that.

[/ QUOTE ]

Pulling mail from a POP3 server will use TCP port 110, sending mail to an SMTP server will be on TCP port 25. If you set Outlook up to not auto send/receive during testing, you can then initiate a receive manually and check for activity on port 110, then a send only and check for activity on port 25. If any process other than Outlook Express is making connections on port 25, they are most likely sending mail silently.

Does that qualify me as a real geek? fekr.gifgrin.gif

Link to comment
Share on other sites

Ok, I ran Stinger last night... nothing... absolutely nothing. So I doubt it's a virus, I wonder if it's a bit of "legit" software telling it's makers about something...

I'm gonna stick TCP View on today and let it run, see what it picks up (if anything)

Cheers guys, will let you know if I get anywhere frown.gif

Link to comment
Share on other sites

Problem solved... well kinda...

Turns out MyDynamicIP, a shareware program for keeping DNS entries aligned with the wandering IP address my ISP gives me, was sending out mails. Not sure why, and as I'm not using it anymore I just stopped the service running at startup (til I work out if I need it!).

Finally found it with TDIMon (From Sysinternals, cheers Chris!) and left the PC on for the day... it was definitely doing something that was making Outlook send out a mail although I can't see the text of it using that application.

So, no virus, no trojan, just good ol' shareware probably telling the author I hadn't paid yet...

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...