ehMac banner

1 - 20 of 27 Posts

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #1
A while back I ended up with a "virus" in my Mac mail that caused funny things to happen - like the screen flashing etc.
With repeated scans I managed to isolate it to a specific email, trashed the email and the problem was solved,
Post is here
http://www.ehmac.ca/showthread.php?t=35189

Now I have another piece of malware called an "expoit"..whatever that is. It causes the text to go all wiggly to make it unreadable.
ClamXav identifies it as Exploit.IFrame.Gen

Trouble is, it's on a different Mac using Outlook Express as the email client and the messages are all one huge single file, so it's not easy to identify which message it's in.
Any hints from anyone how to remove this "Exploit"?
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #3
CanadaRAM said:
How have you made the link between a Windows exploit from 2003 and the text problem you are having?
Wild guess...no, no, educated guess.

I ran the virus scanner about two weeks ago. Everything was fine then.
After I got the squiggly text in emails, I ran the virus scanner again this morning and this one infected file shows up.
Last time, the email message with the "worm.bagle.gen-zippwd" was relatively easy to identify because in Apple mail you can scan individual messages.
Once I had the message identified, I simply trashed it and the problems went away and stayed away.

This time, when I scanned outlook express, the file the 'exploit' is in is identified, but it's the outlook message file which has all of the mail in it, 700+meg.

So right now my plan is to import all the outlook mail into Apple mail...which I just finished doing (worked well this time, failed when I was still on OS 10.2), back up both the outlook mail and apple mail to a CD or DVD and then run the virus scanner on Apple mail to see if I can identify the specific email causing the problem.

What is an 'exploit' anyway and why would it affect the Mac?
 

·
Registered
Joined
·
399 Posts
If you don't know what an exploit is then you have not made an educated guess
 

·
Premium Member
Joined
·
17,945 Posts
And just to reiterate the point, You do not have a virus or an exploit. There are none. Whatever your problem is, it's related to something else.

On the matter of your original computer, the one with the flashing screen, did you check the "Universal Access --> Hearing --> Flash the Screen when an Alert Sounds" ?

Outlook Express - does that run natively in OS X, or is the Mac you're currenlty working with use OS 9? Classic?

M
 

·
Registered
Joined
·
968 Posts
krs said:
Wild guess...no, no, educated guess.

I ran the virus scanner about two weeks ago. Everything was fine then.
After I got the squiggly text in emails, I ran the virus scanner again this morning and this one infected file shows up.
Can you post a screen shot of what this squiggly text looks like? Is it readable, or just a bunch of garbage text?
krs said:
Last time, the email message with the "worm.bagle.gen-zippwd" was relatively easy to identify because in Apple mail you can scan individual messages.
Once I had the message identified, I simply trashed it and the problems went away and stayed away.
For the record, worm.bagle.gen-zippwd is a Windows virus. You had it on your Mac, but all it was was an attachment. It can not infect your Mac.

krs said:
This time, when I scanned outlook express, the file the 'exploit' is in is identified, but it's the outlook message file which has all of the mail in it, 700+meg.

So right now my plan is to import all the outlook mail into Apple mail...which I just finished doing (worked well this time, failed when I was still on OS 10.2), back up both the outlook mail and apple mail to a CD or DVD and then run the virus scanner on Apple mail to see if I can identify the specific email causing the problem.

What is an 'exploit' anyway and why would it affect the Mac?
Does the virus scanner actually tell you what the "exploit" is it found? Again, if it caught it is most likely a Windows virus as there are no viruses for Mac OS X, nor malware like you'd see on a typical Windows PC.

Trev
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #7
CubaMark said:
And just to reiterate the point, You do not have a virus or an exploit. There are none. Whatever your problem is, it's related to something else.

On the matter of your original computer, the one with the flashing screen, did you check the "Universal Access --> Hearing --> Flash the Screen when an Alert Sounds" ?

Outlook Express - does that run natively in OS X, or is the Mac you're currenlty working with use OS 9? Classic?

M
CubaMark -

All I know is that the virus scanner came up 'no files found' two weeks ago.
After I got the squiggly text, I ran it again and now it says one infected file found with the description I gave in my first post.
ClamXav is picking something up that wasn't there two weeks ago.
Grant you, maybe the squiggly text and this 'exploit' is unrelated - I guess I'll find out as soon as I identify the culprit email and trash it.

As to the original 'flashing screen' problem. Yes, I did check Universal Access. Someone had suggested that in the previous post. But there was nothing set.
Don't you find it strange that after I deleted the email that ClamXav identified previously and the problem went away?

For Outlook Express I'm using classic with OS 10.4.3
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #8
TrevX said:
For the record, worm.bagle.gen-zippwd is a Windows virus. You had it on your Mac, but all it was was an attachment. It can not infect your Mac.
All I know is that the problem went away after I deleted the email that was identified as having the virus. That was on Apple mail with OS 10.3.9

Does the virus scanner actually tell you what the "exploit" is it found? Again, if it caught it is most likely a Windows virus as there are no viruses for Mac OS X, nor malware like you'd see on a typical Windows PC.
Trev - I mentioned that in my first post. I have no doubt it's a Windows virus, but it does seem to affect the Mac.

ClamXav identifies it as Exploit.IFrame.Gen
 

·
Premium Member
Joined
·
15,708 Posts
Before Tiger, I had Norton AV installed. It would find viruses (virii) in email attachments, even though they absolutely could not harm the Mac that contained them.

With Tiger, Norton AV went into the trash, and not easily at that. There is no reason to have it installed. Kiss your virus application goodbye.
 

·
Registered
Joined
·
968 Posts
krs said:
Trev - I mentioned that in my first post. I have no doubt it's a Windows virus, but it does seem to affect the Mac.

ClamXav identifies it as Exploit.IFrame.Gen
Sorry, missed that.

As for Explot.IFrame.Gen, check here: http://www.f-secure.com/v-descs/iframe.shtml.

Windows Only.

Trev
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #11
TrevX said:
Sorry, missed that.

As for Explot.IFrame.Gen, check here: http://www.f-secure.com/v-descs/iframe.shtml.

Windows Only.

Trev
Oh man - this is fun!

Turns out the exploit is in an email received back in 2002 - so that was false alarm - sorry about that.
Tried to take a picture of the screen, but that doesn't show the problem - the whole screen is wiggling, so a snapshop won't show this - I would have to take a movie clip.
However, ClamXav also found this in the Apple mail folder - Worm.Bagle.BO. I'm trying to isolate the email now to see which one it it is and then trash the email to see if the problem goes away.

Many thanks for the help and all the comments.


 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #13
HowEver said:
Just a personal preference, krs, but you know you are allowed to change that desktop image, yes?

And the U.S. flag can be replaced with a Canadian one. Just me, perhaps.
That's the way the Mini came - ordered from the Canadian Apple store around May of last year.
What changes when you change the flag? Anything?
Wasn't that related to the keyboard layout at one time...CSA...wher you ended up with a "French" keyboard?
I can certainly change it - never actually really noticed it.
 

·
Premium Member
Joined
·
3,895 Posts
krs said:
Tried to take a picture of the screen, but that doesn't show the problem - the whole screen is wiggling, so a snapshop won't show this - I would have to take a movie clip.
Ah OK.

Did you move a speaker, or a lamp, or anything with a transformer close to your monitor or your monitor cable? Did you reposition the screen on your desk? Are there AC cables in the wall behind your monitor? Whole screen wiggling sounds like EM interference to me. Not a likely result of a Windows Bagle...;)
 

·
Premium Member
Joined
·
15,708 Posts
Goodbye United States flag:

System Preferences > International > Input Menu

. check "Canadian" for Canadian English, if you wish

. at the bottom, un-check "Show input menu in menu bar"

. flag disappears.

Canadaram: good call on the wiggly lines. Perhaps nearby hydroelectric power lines have been activated recently also.

No need for the tin hat this time!
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #16
CanadaRAM said:
Ah OK.

Did you move a speaker, or a lamp, or anything with a transformer close to your monitor or your monitor cable? Did you reposition the screen on your desk? Are there AC cables in the wall behind your monitor? Whole screen wiggling sounds like EM interference to me. Not a likely result of a Windows Bagle...;)
All good points.
The Mac with the problem is in Montreal, I'm in Belleville.
Makes trouble shooting a bit awkward via phone.

Would EMI affect an LCD monitor?

In any case - once I hear back about the email with this 'worm', I can check the things you mentioned above.
I think it's also possible that the video circuitry on the Mini went haywire.

I just find it odd that this 'worm' wasn't on the Mini two weeks ago and now it's raised its ugly head.

BTW - I assume everyone read about the Feb 3rd Kama Sutra worm - wonder if that is really going to be as bad as they expect.
http://edition.cnn.com/2006/TECH/internet/01/31/kamasutraworm/index.html
 

·
Registered
Joined
·
5,976 Posts
KRS, I used to work in a fairly large IT department so I know a bit about what might be going on.

From reading between the lines, it seems to me that you are trying to maintain more than one computer - some of them Macs and that these computers are used by different people in different places.

Further, from things you've said, I get a feeling that you are not that familiar with Macs.

I have a question - why are you running a virus scanner?

And, do these other people you work with like to play pracitcal jokes? Do they kind of kid you a bit?

My guess is that there's nothing wrong with those Mac computers that a pitcher full of ice cubes down the shorts of some sadistic practical joker wouldn't cure.

Margaret
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter #19 (Edited)
All right Margaret -

Let me quickly explain.
I have five Macs in the family used by five different people, me, my wife and three kids. Two Macs are in Belleville, two in Montreal and one in Toronto.

I'm reasonably familiar with Macs - what doesn't help is that Apple keeps changing the user interface as they evolve from OS 10.2 to 10.3 to 10.4, so it's sometimes not that easy to explain to someone remotely whay =t to do if they are on a different OS.

As to the virus scanner, I don't have it active normally, I only run it if there is a problem. Macros can affct a Mac as well, as I understand it, and the last time trashing an infected email resolved a strange screen problem.
I know everyone thinks it was something different - fact remains after the email was gone, so was the problem. Iwas actually at that computer, saw the problem and saw it disappear.
This one may be different. Don't know yet, but if there is a virus/worm I might as well get rid of it. I scanned my own mail file of the last 5 years and found six infected files. They didn't cause any problems as far as I know, but I trashed them anyway.

And no, no practical jokes here - I can guarantee you that.

Anyway - I hope to get to the bottom of the issue tomorrow.

BTW - what specifically makes you say I'm not that familiar with Macs...or did you really mean OS X?
 

·
Premium Member
Joined
·
5,247 Posts
" ... Macros can affct a Mac as well, as I understand it, and the last time trashing an infected email resolved a strange screen problem. ..."

There is no way a Microsoft Word or Excel malformed macro can cause screen problems. They simply don't have the ability to do it.

If all of the following is true:
The infected eMail contained an old Microsoft Word or Excel file,
You have Microsoft Word and/or Excel installed on the computer;
The version of Word and/or Excel will run on OS9 or earlier but not under OSX except via Classic;
You double-clicking the attachment which caused Classic, OS9.2 and Word or Excel to launch and the infected document to open;
... then the macro might have affected your old version of Word or Excel in an annoying but non-destructive manner. It cannot affect the OS, other applications, or your documents, and especially cannot affect the screen display whatsoever.

If even one of the above is not true, it's impossible for a macro to have any effect whatsoever on your OSX Mac. If they all are true, you can eliminate any threat by launching Word and Excel and disabling macro functions. You will then be invulnerable to them.

Do not confuse the sun going down with your need for sleep. The two are coincidental, not proof that one causes the other.

The Bagle worm affects Windows systems only, as will the the Kama Sutra worm. It's a good idea to scan for viruses and delete them, but only as a favour to Windows users. The cannot do anything to your Mac whatsoever.

CRTs can be affected by magnetic fields but LCDs cannot, so if you have an LCD screen it's not magnetic or electromagnetic interference (or EMI). Personally, I would insure the video card is well seated and the connectors are not loose. They are far more likely to be the cause than any virus, worm, or macro.

Exploit.IFrame.Gen is a vulnerability that affects users who use Microsoft Internet Explorer on Windows. That particular name is used by ClamAV while most other AV applications have different names for it (AV companies make up the names themselves and they are not consistent from one application to another, even though they may be identifying the same thing, the names vary). It is a backdoor affecting Windows systems only; it cannot be the source of any problems on your Mac.

I think you are right to have your AV application clean your eMails when it finds a problem, so that you don't spread them to others who might be affected if they run Windows, but aside from that, forget about viruses and malware completely, because they are definitely not the cause. You would be better off trying to find the real issue rather than chasing ghosts; "fixing" these eMail attachments cannot be the solution because they cannot be the problem.
 
1 - 20 of 27 Posts
Top