Solved

Trojam today


Userlevel 3
I din't htink I would be back so soon after two posts about things that were resolved and neither turned out to be WRA problem.  This one I feel like I owe it to report.  I don't know how I could have been so stupid, but I got an email telling me someone had changed the settings on my Amercan Express account and to click the link if this wasn't true.  I scratched my head and clicked the link, but here is why I have to report it, it was Avast that popped up telling me I was hit with a Trojan Horse
 
Here is the link to the Avast web page that I got by way of going to the links within my Avast program:
 
 
 
&p_prc=C:]http://www.avast.com/en-us/lp-pr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_ise_70_0&utm_medium=prg_systray&utm_content=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_vir=JS:Redirector-RO%20[Trj]&p_prc=C:Program%20FilesMozilla%20Firefoxfirefox.exe&p_obj=http://www.mrelgin.com/3STa3Me/index.html&p_var=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_pro=2&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=450&p_lng=en&p_lid=en-us&p_elm=7&p_vbd=1466
 
 
The one that hit me is:
 
JS:Redirector-RO [Trj]
 
I took Avast off two of my macines and was ready to take it off this computer in the basement and then it hit.  I did a WRA scan after that and it came up clean.  Would WRA have found it if Avast didn't?  Now I am wondering it I shuold continue to run both programs on all machines.
 
 
icon

Best answer by JimM 19 September 2012, 20:55

The reason Avast will have got to it first is that if you have another antivirus program on your computer, WSA is smart enough to know that the other antivirus program is a good program just trying to do its job for you. So rather than trying to argue with that program and trump it, it will just let it work for you. Webroot was still there for you if it was needed.

Also, that's a javascript redirector - not a file that was dropped. WSA allowed Avast to cut the attempted infection off at a point prior to when it would have tried to drop a malicious file onto the computer. So when you did the scan with WSA after the fact, there was no infection there to find because it never landed on the computer to begin with.

View original

12 replies

Userlevel 7
The reason Avast will have got to it first is that if you have another antivirus program on your computer, WSA is smart enough to know that the other antivirus program is a good program just trying to do its job for you. So rather than trying to argue with that program and trump it, it will just let it work for you. Webroot was still there for you if it was needed.

Also, that's a javascript redirector - not a file that was dropped. WSA allowed Avast to cut the attempted infection off at a point prior to when it would have tried to drop a malicious file onto the computer. So when you did the scan with WSA after the fact, there was no infection there to find because it never landed on the computer to begin with.
Userlevel 3
Thank you for the good explanation.  I may leave a couple with Avast and a couple without it as a test.  I am very happy I got WRA, plus doing the scans are not a pain when they need to be done.  I do know that you are not supposed to click a link like that in an email and ordinarily I would not have done it.  We just started using AM EX, regularly. We use it only for gas at Costco for a 3% rebate.  I just paid my bill yesterday and I couldn't figure out how the settings could have been changed so I did the think I preach against all the time. 
Userlevel 7
Badge +55
Also I would like to add that the email you got is a Phishing Email and here is how it Works it's a nasty circle!
 
HTH,
 
TH
Userlevel 3
By the way, I was trying to figure out why you said:
 
Also, that's a javascript redirector - not a file that was dropped.
 
I reread it and did not see where I used the word file.  I have to confess ignorance, because I wasn't sure how to word my post but when I looked at the link it uses the word file in there.  I had copied the whole URL and I see from another machine that the first part is clickable, but I am not sure how that other part got there.  I am talking about this part here:
 
Program%20FilesMozilla%20Firefoxfirefox.exe&p_o
bj
Userlevel 3
TH,
 
I use MailWasher on all my machines and it showed up as a PHISHING email, but I see a lot of warnings on my regular emails, so I ignored it.  I suppose I have to learn this stuff a little better, thanks for the links.  That was why I said I should have known.
Userlevel 7
The purpose of a fraudulent email of this nature is typically going to be to direct you to a website that hosts malware. At which point, that website will try to drop that malware payload on your computer as an executable file. It never got to the point where it tried to drop the payload, so there was no file present for WSA to detect during your scan.

Although we do have anti-phishing capabilities that are not dependent on executing a file, that falls under the first part of the explanation as to why Avast was able to act on it first.

What I was getting at was, worse case scenario, let's say for the sake of argument that the phishing email took you to the redirect successfully and the malware host attempted to drop the malware on the computer. At that point (assuming again that Avast didn't want to act first since WSA would let it), WSA would have caught that malware deposit. In fact, you wouldn't have even needed to run a manual scan for that to happen. WSA would have acted on its own immediately.
Userlevel 7
Hello slhayes,
 
I also have an American Express card from Costco that I use. Something similar happened to me a few months ago. I got a email (Looked Real) from AM EX stating that I had too many failed logins to my account. They wanted me to "Click the link" and update my account or account is subject to close. The email looked real, had my name and last 4 numbers of my account. I never clicked the link, instead I called AM EX on the telephone and my account was good, no failed logins and the only logins to the account was from me. I received about 4 more false emails from AM EX (The Hacker) and they finally gave up sending emails. I never click links to incoming emails about $$$ accounts. There are too many slick hackers out there now-a-days. I'm sure that if I would have clicked it, WSA would have caught it. ;)
 
 
Userlevel 3
Believe me I am supposed to know better, we have a GM card because my husband retired from GM and it gives us money for when we buy a new car, at around 5 years and several times they have shut down our card because of a charge we made that they saw as suspicious.  A couple of times it was because of someone trying to access our account.  There was one that I found after my daily balance check where someone made about 4 or 5 charges to motels in Alabama for very small amounts. Like under a dollar to no more than a dollar and some cents.  I called them that time and it turned out that they had caught it their end too because whoever did it also put an electronic charge for a couple hundred on our account.  When they stop our account they will call and then make me verify several purchases.  We had other purchases going back as much as 30 years that were not done by us.  We never had to pay a cent on any, but as they talk more and more about identity theft it makes you really leery.  I have been trying to find out how to protect our bank accounts, so far all we did was sign on for a checking account that gives us partial protection and I am trying to decide what else to do, since nothing can give you 100% protection.  This is what has made me sign up for WRA because I use the computer to access all our financial information.  We aren't rich but we do have savings that would hurt like hell if someone got into our accounts.
Userlevel 7

@slhayes wrote:
This is what has made me sign up for WRA because I use the computer to access all our financial information.  We aren't rich but we do have savings that would hurt like hell if someone got into our accounts.

Same here, I know the feeling. They can call me paranoid, but I check all our banking accounts 3 or more times a day. Morning, afternoon and before bed. :D
Userlevel 7
Badge +55

@ProTruckDriver wrote:

@slhayes wrote:
This is what has made me sign up for WRA because I use the computer to access all our financial information.  We aren't rich but we do have savings that would hurt like hell if someone got into our accounts.

Same here, I know the feeling. They can call me paranoid, but I check all our banking accounts 3 or more times a day. Morning, afternoon and before bed. :D

And that's why we use WSA with Identity Shield to keep the nasties from seeing our online Banking and Transactions and keeping our personal information safe! ;)
 
TH
 
Userlevel 3
Thanks to all of you, now if I can keep myself out of trouble for 24 hours.
Userlevel 7
Badge +55

@slhayes wrote:
Thanks to all of you, now if I can keep myself out of trouble for 24 hours.

We are always here to help! ;)
 
Cheers,
 
TH
 

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings