GetMyData Results - Second virus scan


Nightowl >8#
 
Edited

MALWARE, VIRUSES & MORE FOUND IN ZIPPED GETMYDATA FILES

Someone sent this to me:

This was a scan of GMD download files from various volunteers. All files were left in their original zipped containers as received from Verizon. I used Norton 360 virus software which scans inside zipped files.

4,600 Groups containing roughly 107 million ‘items’ (Norton counted each mbox.001 file as one item). Norton flagged approximately 3,003 security risks- GetMyData results include messages, files and links
Note: not every item flagged by Norton is a virus/trojan/spyware, but I Instructed Norton to either remove or quarantine them all

2950 Virus
52 flagged by the Heuristic Virus Scan
1 Spyware
Sample Virus:
Filename: Unknown00858D14.data
Threat name: WScript.KakWorm

Full Path: C:\Users\XXXX\013ed2fc26c662f9e54af34840088fb71ade92790f221d724125ea3739934c07.zip
Startup Item No
Launched No
File Thumbprint – SHA:
f58371ef347343cf42345fc9a5fe6e21242570b29d5788e8893735d0a50cf328
File Thumbprint – MD5:
a1fb7c491c7330d9b7ebeb32e6503813
SPYWARE
Filename: files.zip
Threat name: Spyware.CometCursor

Full Path: C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b.zip
Startup Item No
Launched No
Threat type: Spyware. Programs that actively track and send personal or confidential information to third parties.TROJAN
Filename: 043737558629 MMS.zip
Threat name: Trojan Horse
Full Path: C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b,zip
Startup Item No
Launched No
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
Mature: This file was released 2 years 6 months ago
I am doing a second system scan and will then follow up with a Malwarebytes scan and will report back.

My second scan of the entire Desktop PC came up with around 300 flagged security risks. 2 flags were from the full GMD files which I had not yet un-zipped. GMD files can average around 2 GB each and contain smaller zipped folders, one for each group. Because of their size, Norton said the full GMD files were too large for them to extract the 3-4 suspicious files and wanted to delete the full file entirely. Obviously I will not be unzipping these full GMDs nor will I be deleting them. I am sending them to someone who runs Linux and they will use the Norton report to track down the specific subfolders inside the zipped GMDs to remove the flagged items.


pg
 

At this point I am on my third set of GMD files. I have unpacked the first two  - requests filled 2 weeks apart - and then unpacked some of the messages, files, and links Zips. 

I think the right thing to do is to unzip each GMD Zip file BUT - be careful at the next step.  At this point you have a LOT of Zip files. Messages.zip. Files.zip. Links.zip. Maybe Attachments.zip. 

The Links files are worthless. There have not been any actual links in any of the Links.zip files I have opened. 

The Files sections are unlikely to contain malware, as Yahoo used to scan things on upload.  

The Messages zips might contain malware. Some of you have been around long enough to remember a couple of episodes of system wide attacks. 

My malware detector tripped as one of the 2 GB zips was being unzipped - but I think I know why: a few of the of the groups I am on was hit by a malware attack years ago that generated a lot of messages, each containing a trojan. A moderator tried to delete them all but only had to miss one of the 100 or so messages to cause a tripped malware detection now. 

Remember that thing that tried to find all your groups and send it self to all of them?  That was fun, yes? No. And it's still out there, inside some of the messages.zip files - maybe - or in an Attachment. 

My approach: open nothing until it's been scanned by Malwarebytes or Norton or whatever you trust. I have MS Defender set to scan everything automatically.  

I think I am going to run all the Messages files through Malwarebytes. 

On Tuesday, December 17, 2019, 11:59:48 PM EST, Nightowl >8# <featheredleader@...> wrote:


Morgan just sent this to me. I think we should warn users not to open
their files they get from Verizon.


-------- Forwarded Message --------
Subject:     Re: GetMyData Results - Second virus scan
Date:     Tue, 17 Dec 2019 18:40:02 -0800
From:     Morgan Dawn <morgandawn@...>
To:     Archiver1 Fandom <archiver1.fandom@...>, Maggie
<thejackcat@...>, Andrew Ferguson <andrewferguson500@...>,
Brenda Fowler <nightowl713@...>, Doranwen <doranwen7@...>



My second scan of the entire Desktop PC came up with around 300 flagged
security risks.� 2� flags were from the full GMD files which I had not
yet un-zipped. GMD files can average around 2 GB each and contain
smaller zipped folders, one for each group. Because of their size,
Norton said the full GMD files were too large for them to extract the
3-4 suspicious files and wanted to delete the full file entirely.
Obviously I� will not be unzipping these full GMDs nor will I be
deleting them.� I am sending them to Doranwen who runs Linux and she
will use the Norton report to track down the specific subfolders inside
the zipped GMDs to remove the flagged items (I am copying her on this
message).

*Important note: *Nowhere did Verizon warn its users about the security
risks in the contents of their GMD (especially as they were touting it
as a sufficient alternative to actually offering complete backups of our
Yahoo Groups). Your average user will be completely vulnerable. Most -
but not every virus program --� will scan inside zipped files, and some
that do, turn off scanning compressed files�due to the length of time it
adds to each scan
.
MD

On Tue, Dec 17, 2019 at 5:40 PM Morgan Dawn <morgandawn@...
<mailto:morgandawn@...>> wrote:

    This was a scan of GMD download�files from various volunteers. All
    files were left in their�original zipped containers�as received�from
    Verizon. I used Norton 360 virus�software which�scans inside zipped
    files.
    *
    *
    *4,600 Groups containing roughly 107 million 'items' (Norton counted
    each mbox.001 file as one item). Norton flagged approximately�3,003
    security�risks- GetMyData results include messages, files and links*
    Note: not every item flagged by Norton is a virus/trojan/spyware,
    but I Instructed Norton to either remove�or quarantine�them all

    *2950 Virus*
    *52 flagged by the Heuristic Virus Scan*
    *1 Spyware*

    *Sample Virus:*
    Filename: Unknown00858D14.data
    Threat name: WScript.KakWorm
    Full Path:

C:\Users\XXXX\013ed2fc26c662f9e54af34840088fb71ade92790f221d724125ea3739934c07.zip
    Startup Item�No
    Launched��No
    File Thumbprint - SHA:
    f58371ef347343cf42345fc9a5fe6e21242570b29d5788e8893735d0a50cf328
    File Thumbprint - MD5:
    a1fb7c491c7330d9b7ebeb32e6503813

    *Spyware*
    Filename: files.zip
    Threat name: Spyware.CometCursor
    Full Path:

C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b.zip
    Startup Item��No
    Launched��No
    Threat type: Spyware. Programs that actively track and send personal
    or confidential information to third parties.

    *Trojan*
    Filename: 043737558629 MMS.zip
    Threat name: Trojan Horse
    Full Path:

C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b,zip
    Startup Item��No
    Launched��No
    Threat type: Virus. Programs that infect other programs, files, or
    areas of a computer by inserting themselves or attaching themselves
    to that medium.
    Mature:�This file was released 2 years 6 months ago

    I am doing a second system�scan and will then follow up with a
    Malwarebytes scan and will report back.

    MD



    --    (Message created with voice recognition software, please
excuse any
    errors or weird formatting).




    Mailtrack

        Sender notified by
    Mailtrack

    12/17/19, 05:31:42 PM    



--
(Message created with voice recognition software, please excuse any
errors or weird formatting).

Mailtrack
    Sender notified by
Mailtrack
12/17/19, 06:39:43 PM    





Elizabeth McKenzie
 

Brenda,

I use Sophos and got the same.  Out of 12, 2-GB zip files, the first file was clear.  Like Morgan, I got alerts for several others, which I haven't unzipped.  One odd thing was out of the other clear ones, two of them were exact duplicates of the first one.  At first I suspected that Sophos had cleaned the files and made a clean copy each time I scanned, because I did happen to see a notice flash in the corner of the screen from Sophos that something had been cleaned, but there are still only 12 zip files in that directory.

This is the malware Sophos found in the zip files I received from Yahoo.

Troj/GF135-A (4 times)
W32/Chir-B (once)

Elizabeth

On Tue, Dec 17, 2019 at 11:59 PM Nightowl >8# <featheredleader@...> wrote:
Morgan just sent this to me. I think we should warn users not to open
their files they get from Verizon.


-------- Forwarded Message --------
Subject:        Re: GetMyData Results - Second virus scan
Date:   Tue, 17 Dec 2019 18:40:02 -0800
From:   Morgan Dawn <morgandawn@...>
To:     Archiver1 Fandom <archiver1.fandom@...>, Maggie
<thejackcat@...>, Andrew Ferguson <andrewferguson500@...>,
Brenda Fowler <nightowl713@...>, Doranwen <doranwen7@...>



My second scan of the entire Desktop PC came up with around 300 flagged
security risks.� 2� flags were from the full GMD files which I had not
yet un-zipped. GMD files can average around 2 GB each and contain
smaller zipped folders, one for each group. Because of their size,
Norton said the full GMD files were too large for them to extract the
3-4 suspicious files and wanted to delete the full file entirely.
Obviously I� will not be unzipping these full GMDs nor will I be
deleting them.� I am sending them to Doranwen who runs Linux and she
will use the Norton report to track down the specific subfolders inside
the zipped GMDs to remove the flagged items (I am copying her on this
message).

*Important note: *Nowhere did Verizon warn its users about the security
risks in the contents of their GMD (especially as they were touting it
as a sufficient alternative to actually offering complete backups of our
Yahoo Groups). Your average user will be completely vulnerable. Most -
but not every virus program --� will scan inside zipped files, and some
that do, turn off scanning compressed files�due to the length of time it
adds to each scan
.
MD


 

I finally got the notice to download my files. Took a while but I have a 1.4GB download, zipped. There is probably more but this is all Yahoo gave me. My previous attempts a week or so never resulted in anything. What should I do with this zip file to make sure it is clean. I have Norton and Malwarebytes. I am using a Mac, right now and am not really familiar with how to do things like check a zip file.

Susan B

On Dec 17, 2019, at 11:59 PM, Nightowl >8# <featheredleader@att.net> wrote:

Morgan just sent this to me. I think we should warn users not to open their files they get from Verizon.


-------- Forwarded Message --------
Subject: Re: GetMyData Results - Second virus scan
Date: Tue, 17 Dec 2019 18:40:02 -0800
From: Morgan Dawn <morgandawn@gmail.com>
To: Archiver1 Fandom <archiver1.fandom@gmail.com>, Maggie <thejackcat@gmail.com>, Andrew Ferguson <andrewferguson500@gmail.com>, Brenda Fowler <nightowl713@att.net>, Doranwen <doranwen7@gmail.com>



My second scan of the entire Desktop PC came up with around 300 flagged security risks.� 2� flags were from the full GMD files which I had not yet un-zipped. GMD files can average around 2 GB each and contain smaller zipped folders, one for each group. Because of their size, Norton said the full GMD files were too large for them to extract the 3-4 suspicious files and wanted to delete the full file entirely. Obviously I� will not be unzipping these full GMDs nor will I be deleting them.� I am sending them to Doranwen who runs Linux and she will use the Norton report to track down the specific subfolders inside the zipped GMDs to remove the flagged items (I am copying her on this message).

*Important note: *Nowhere did Verizon warn its users about the security risks in the contents of their GMD (especially as they were touting it as a sufficient alternative to actually offering complete backups of our Yahoo Groups). Your average user will be completely vulnerable. Most - but not every virus program --� will scan inside zipped files, and some that do, turn off scanning compressed files�due to the length of time it adds to each scan
.
MD

On Tue, Dec 17, 2019 at 5:40 PM Morgan Dawn <morgandawn@gmail.com <mailto:morgandawn@gmail.com>> wrote:

This was a scan of GMD download�files from various volunteers. All
files were left in their�original zipped containers�as received�from
Verizon. I used Norton 360 virus�software which�scans inside zipped
files.
*
*
*4,600 Groups containing roughly 107 million 'items' (Norton counted
each mbox.001 file as one item). Norton flagged approximately�3,003
security�risks- GetMyData results include messages, files and links*
Note: not every item flagged by Norton is a virus/trojan/spyware,
but I Instructed Norton to either remove�or quarantine�them all

*2950 Virus*
*52 flagged by the Heuristic Virus Scan*
*1 Spyware*

*Sample Virus:*
Filename: Unknown00858D14.data
Threat name: WScript.KakWorm
Full Path:
C:\Users\XXXX\013ed2fc26c662f9e54af34840088fb71ade92790f221d724125ea3739934c07.zip
Startup Item�No
Launched��No
File Thumbprint - SHA:
f58371ef347343cf42345fc9a5fe6e21242570b29d5788e8893735d0a50cf328
File Thumbprint - MD5:
a1fb7c491c7330d9b7ebeb32e6503813

*Spyware*
Filename: files.zip
Threat name: Spyware.CometCursor
Full Path:
C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b.zip
Startup Item��No
Launched��No
Threat type: Spyware. Programs that actively track and send personal
or confidential information to third parties.

*Trojan*
Filename: 043737558629 MMS.zip
Threat name: Trojan Horse
Full Path:
C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b,zip
Startup Item��No
Launched��No
Threat type: Virus. Programs that infect other programs, files, or
areas of a computer by inserting themselves or attaching themselves
to that medium.
Mature:�This file was released 2 years 6 months ago

I am doing a second system�scan and will then follow up with a
Malwarebytes scan and will report back.

MD



-- (Message created with voice recognition software, please excuse any
errors or weird formatting).




Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&>
Sender notified by
Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&>
12/17/19, 05:31:42 PM



--
(Message created with voice recognition software, please excuse any errors or weird formatting).

Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&> Sender notified by
Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&> 12/17/19, 06:39:43 PM


David Burton
 

If you have a particular suspicious file (not a .zip file, just one of the files extracted from a .zip file), which you fear might be infected with something evil, you can upload it to VirusTotal, and they'll check it with a couple of dozen different antivirus tools. (There are a few alternatives to VirusTotal, but I don't know which of them are good.)

If all but a few of the antivirus products pass it, and it's an old file, then it's probably okay, and it's just a "false positive" by those few products. ("Fresh" suspicious files, seen for the first time, might be evil even if only a few products flag them, but within a few weeks of a virus's release it'll probably be included in most of the leading antivirus products' databases.)

Dave



On Wed, Dec 18, 2019 at 1:10 AM Susan B <doggiesmail@...> wrote:
I finally got the notice to download my files. Took a while but I have a 1.4GB download, zipped. There is probably more but this is all Yahoo gave me. My previous attempts a week or so never resulted in anything.  What should I do with this zip file to make sure it is clean. I have Norton and Malwarebytes. I am using a Mac, right now and am not really familiar with how to do things like check a zip file.

Susan B

On Dec 17, 2019, at 11:59 PM, Nightowl >8# <featheredleader@...> wrote:

Morgan just sent this to me. I think we should warn users not to open their files they get from Verizon.


-------- Forwarded Message --------
Subject:        Re: GetMyData Results - Second virus scan
Date:   Tue, 17 Dec 2019 18:40:02 -0800
From:   Morgan Dawn <morgandawn@...>
To:     Archiver1 Fandom <archiver1.fandom@...>, Maggie <thejackcat@...>, Andrew Ferguson <andrewferguson500@...>, Brenda Fowler <nightowl713@...>, Doranwen <doranwen7@...>



My second scan of the entire Desktop PC came up with around 300 flagged security risks.� 2� flags were from the full GMD files which I had not yet un-zipped. GMD files can average around 2 GB each and contain smaller zipped folders, one for each group. Because of their size, Norton said the full GMD files were too large for them to extract the 3-4 suspicious files and wanted to delete the full file entirely. Obviously I� will not be unzipping these full GMDs nor will I be deleting them.� I am sending them to Doranwen who runs Linux and she will use the Norton report to track down the specific subfolders inside the zipped GMDs to remove the flagged items (I am copying her on this message).

*Important note: *Nowhere did Verizon warn its users about the security risks in the contents of their GMD (especially as they were touting it as a sufficient alternative to actually offering complete backups of our Yahoo Groups). Your average user will be completely vulnerable. Most - but not every virus program --� will scan inside zipped files, and some that do, turn off scanning compressed files�due to the length of time it adds to each scan
.
MD

On Tue, Dec 17, 2019 at 5:40 PM Morgan Dawn <morgandawn@... <mailto:morgandawn@...>> wrote:

   This was a scan of GMD download�files from various volunteers. All
   files were left in their�original zipped containers�as received�from
   Verizon. I used Norton 360 virus�software which�scans inside zipped
   files.
   *
   *
   *4,600 Groups containing roughly 107 million 'items' (Norton counted
   each mbox.001 file as one item). Norton flagged approximately�3,003
   security�risks- GetMyData results include messages, files and links*
   Note: not every item flagged by Norton is a virus/trojan/spyware,
   but I Instructed Norton to either remove�or quarantine�them all

   *2950 Virus*
   *52 flagged by the Heuristic Virus Scan*
   *1 Spyware*

   *Sample Virus:*
   Filename: Unknown00858D14.data
   Threat name: WScript.KakWorm
   Full Path:
C:\Users\XXXX\013ed2fc26c662f9e54af34840088fb71ade92790f221d724125ea3739934c07.zip
   Startup Item�No
   Launched��No
   File Thumbprint - SHA:
   f58371ef347343cf42345fc9a5fe6e21242570b29d5788e8893735d0a50cf328
   File Thumbprint - MD5:
   a1fb7c491c7330d9b7ebeb32e6503813

   *Spyware*
   Filename: files.zip
   Threat name: Spyware.CometCursor
   Full Path:
C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b.zip
   Startup Item��No
   Launched��No
   Threat type: Spyware. Programs that actively track and send personal
   or confidential information to third parties.

   *Trojan*
   Filename: 043737558629 MMS.zip
   Threat name: Trojan Horse
   Full Path:
C:\Users\XXX\36fca5f8b69ba6ca49dd77e0e23b8197dbd94cabe146c2ccc74862d34c320e1b,zip
   Startup Item��No
   Launched��No
   Threat type: Virus. Programs that infect other programs, files, or
   areas of a computer by inserting themselves or attaching themselves
   to that medium.
   Mature:�This file was released 2 years 6 months ago

   I am doing a second system�scan and will then follow up with a
   Malwarebytes scan and will report back.

   MD



   --     (Message created with voice recognition software, please excuse any
   errors or weird formatting).




   Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&>
        Sender notified by
   Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&>
   12/17/19, 05:31:42 PM       



--
(Message created with voice recognition software, please excuse any errors or weird formatting).

Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&>         Sender notified by
Mailtrack <https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality5&> 12/17/19, 06:39:43 PM   









Nightowl >8#
 

Okay, this is getting serious. I think we need to make a page on the blog, and send people to it so that they don't run into these problems.

I'll leave names out but I'll put info up there.

Gonna be a busy owl tonight.

Brenda


Nightowl >8#
 

David, I'm going to inform Verizon about the security issue with moderation and protections for the groups. Did you ever find out when the next shareholders meeting is? Or do you have someone maybe who runs the meeting that I could contact?

Brenda


Elizabeth McKenzie
 

After reading Dave's message, I ran a quick scan with Trend Micro Housecall, which says no threats found.  I'm still not going to open those other zips until I run at least one more scan, but this makes me feel better.  It could be Sophos did clean them.

Elizabeth


On Wed, Dec 18, 2019 at 2:03 AM David Burton <ncdave4life@...> wrote:
If you have a particular suspicious file (not a .zip file, just one of the files extracted from a .zip file), which you fear might be infected with something evil, you can upload it to VirusTotal, and they'll check it with a couple of dozen different antivirus tools. (There are a few alternatives to VirusTotal, but I don't know which of them are good.)

If all but a few of the antivirus products pass it, and it's an old file, then it's probably okay, and it's just a "false positive" by those few products. ("Fresh" suspicious files, seen for the first time, might be evil even if only a few products flag them, but within a few weeks of a virus's release it'll probably be included in most of the leading antivirus products' databases.)

Dave