Solved

Could a virus be causing email app to split files up?

Posted on 2004-03-23
15
255 Views
Last Modified: 2013-12-04
This is very wierd.
A client on a win2K machine using the latest office 2003 version of Publisher creates a newsletter which she emails. When she sends it to me, I get 3 messages with a large page of machine language goblygook. Other people she sends to also get the same three files in the message body. All except one guy at the office who gets the file just fine. He is one of 3 recipients in the office and the only one who can read it. All but the creator of the message are XP computer computers and all are running the same version of Office-Pro 2003.

I have uninstalled and reinstalled and for a short time it worked OK. However after a few days the problum resurfaced and remains.

All of the computers have Norton AV corp ver 8 and have no hits at the moment on the virus activity log. However, the win2k box that created this file did have some trojan activity a while back that was very hard to remove. I have run scans in safe mode and done online scans with Trend Micro that found virus activity that Norton missed.

I'm feeling like this might be a virus related issue but I can't identify it. If anyone has dealt with this issue in the past I would appreciate hearing about it. I posted this on the win2K OS board but after 3 days no hits.

Hope I wasn't too long here

Eric
0
Comment
Question by:ehanner
  • 6
  • 6
  • 2
  • +1
15 Comments
 
LVL 11

Expert Comment

by:ghana
Comment Utility
No, this doesn't sound like a virus problem. I assume the email applications don't use the same format. When I create a nice looking mail with Incredimail the result for the recipients will be totally different - relating to the mail applications they use to display the message.

I would check whether all recipients use the same mail application and Internet Explorer version as the sender and would review the settings of these applications. They should be the same on all machines. And please check the patch status on all machines. Some patches/service packs will change the behaviour for mail handling because of security reasons.

Hope this helps.
0
 

Author Comment

by:ehanner
Comment Utility
ghana,
I wish it were that simple.  I set up everything and everyone is up to date with patches and all stations are running the same version of Office and Outlook. What really gets me is that 2 identical new XP computers sitting a few feet from each other on the same network switch, get differing results when they are sent .PUB files from another LAN user. Only one person including someone out of the system can open the file.
0
 
LVL 11

Expert Comment

by:ghana
Comment Utility
That means the .PUB file (Microsoft Publisher) can be opened on one computer but not on the other one? I would try whether opening the file is user dependent. Let the user that is able to open the file on his/her computer go to the other computer, log on with his/her domain account. Will this work?

Which message appears for those users that are not able to open the file?

I still don't expect a virus to cause this, because you have scanned your computer for viruses. But just make this sure: Did you configure your antivirus software to scan ALL files including compressed ones?
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Disabling Attachment Security in Microsoft Outlook
Sometimes security can be taken to far. In an effort to protect users from themselves, Microsoft has prevented anyone from using a default installation of Office XP and Office 2003 from opening certain types of attachments in Outlook. These include all .EXE, .DLL, .VBS, and .COM files plus many more. In a technical environment, or one where virus protection is in use, this is downright annoying.

To disable the banned attachments feature in Microsoft Outlook:

Office XP: Use a registry editing tool to navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security

Office 2003: Use a registry editing tool to navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security

Insert a value with the following details:
Data Type: SZ
Value Name: Level1Remove
Value: Semi-colon delimited list of file extensions you wish to allow, e.g.:
.exe;.dll;.com;.bat;.vbs;.asp;.html;.url;.htm;.asa;.inc;.css;.msi;.cab

Restart Outlook for the changes to take effect.

http://www.sanx.org/tipShow.asp?articleRef=2

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:ehanner
Comment Utility
Trywaredk,
It's not that only one can open the file, only one gets just one message with the usable .PUB file. Everybody else gets 3 messages, each has an attachment, none of which are .PUB files. Also, the message body is filled with a large page of machine language type characters.

The trouble has to be with the sending computer.  I'm thinking the issue must be with outlook somehow. It seems to be selecting one account to send normally and creating something else for the rest of the reciepients. For what it's worth, the guy who can read the file and the guy who can't are both using a company account so they have the same address after the @ sign.

Also above someone mentioned user accounts, this is a workgroup. Plus when I get the set of messages they scan clean and are also unreadable.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
Not a virus but potentially the scanner, I'm with trywaredk on targetting that area next, but do make sure you identify whether this is a single problem or not, as I was initially thinking it was gateway.

Make sure all are sent same physical eMail, all listed as "to". Next send each one individually, and next send to everyone except the one who receives so well.

Make sure the sender attaches the file, that it is not embedded. Make sure there is one (min) complete sentence. Make sure it is not sent to mailing list.

Now it could also be server side, if you are all using same sending and receiving servers. Check the way it manages attachments, what protocols users are running, access methods, (look at LogonID@server), MIME handling and antivirus pattern matching. Some server side AV will split file, maybe scanning and your name is similar to some from viruses, so you should also try sending with the A/V out of service, many need updates.

Best Guess: by now you've maybe resolved and checked out the desktops well (laptops? docking station problem?) so I vote for server being the best candidate for problem, maybe different protocol or a/v behavior. Upgrade.
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
It's a wild guess, and I don't think it has anything with your issue to do, but try to check the xp sender computer

You Cannot Access Shared Files and Folders or Browse Computers in the Workgroup
http://support.microsoft.com/default.aspx?scid=kb;en-us;318030
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:ehanner
Comment Utility
The AV scanner is a possibility worth checking. The sender is a win2K box trywaredk but I'll check the link.

I'll check this out in the next day or so and get back. Thanks.

Eric
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Could also by spyware - please check...

Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/

0
 

Author Comment

by:ehanner
Comment Utility
Ok, some developments here. First I received an email today from the creator of these .PUB files only this time it's an Excel file as an attachment. I got 12 emails, each with an attachment of some kind, not excel and each one had the message body filled with machine type. I had the sender copy the excel file to a cd and go to another computer and send it to me . I received the message with the attachment intact and after I scanned the file was able to open it. Last wek the issue was limited to .PUB files and now both types are affected in this manner.

Also, now all users in the office are unable to receive these attachments where as before one computer was able to open normally.

Remember I uninstalled and reinstalled Outlook early in this excercise along with all other components of Office 2003.

I guess I'll go tomorrow and look for a trojan or spybot but I have already had her scan with NAV and again in Safe mode.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 500 total points
Comment Utility
Start regedit and search for
SMTP Split Messages

It's probably located in a subkey under
[HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

It's a DWORD value, and should be 0


0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Maybe it's the REG_BISCUIT.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=REG_BISCUIT.A&VSect=T

To find out ...

Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp

If you get's an ActiveX error, when loading the HouseCall web page:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4317



0
 

Author Comment

by:ehanner
Comment Utility
Trywaredk,
I scanned in safe mode, online with Trend Micro and didn't get a single hit. However, the virus history log showed that both yesterday and again today, that NAV found 6 infected files. W32.Gibe.B@mm on a Patch408.exe 3 times andBackdoor.irc.cl.. and and IRC Trojan and Trojan Horse. I don't quite know why they show up in the history but not in the daily scans. They must be getting picked off before the scheduled scan. Also, the history log shows that the first action to be "clean" and second action to be "leave alone". This not the way the scan is setup. The second action is "quarantine". I checked the settings and found them to be correct but for some reason the log shows otherwise. The end result is that the files are not to be found anywhere. They don't exist in the reported location in the log and scanning the drives didn't turn up anything. The virus log says they should be there as they were left alone.

I like your suggestion of Trend Micro on line. I haven't tried the system cleaner but I will.

After all of this scanning and searching, I wish I could say that I knew exactly what repaired the problum. I did run Outlook Repair and I cleaned out a ton of IE temp internet files, which was one of the virus locations. Also I cleaned out 55 bugs with Ad Aware. It all works fine now but I feel a little like the bombadear on the Enola Gay.

Thanks for your ear and support Trywaredk, you earned these points.

Eric
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
The problem is, that antivirus programs does'nt find/remove Spyware, and antispywareprograms does'nt find virus.

:o) Glad I could help you - thank you for the points
0
 

Author Comment

by:ehanner
Comment Utility
That's a great point. If some clever developer came up with an AV app that scrubbed and blocked spyware and had a sniffer that would verify no unauthorized connections were working, it would be a killer app.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now