Hupigon virus

[G0AOZ]

I'm assuming this may be something like the Hupigon virus. User is with AOL and uses their on-line e-mail facility, rather than a client like OE etc.

He tells me his machine has not been used all day, and yet at 18:30 this evening I get, amongst several other addressees, and e-mail containing a link to a compromised website.

I guess his address book has been hijacked and forwarded to someone spoofing his AOL address. I have strongly suggested that he doesn't use his PC until it's been scanned for malicious files etc.

Am I right in my assumptions about the hijacking and spoofing?

ROGER - G0AOZ.

 

[kjv1611]

Sure sounds like it. Either that, or perhaps he's using a somewhat common email address? Or else one that's been posted in publicly accessible locations?

 

[G0AOZ]

Thanks for that KJV. I'm no expert in reading mail headers, but this one has differences to a known good one I received from him over a year ago.

It's the usual address form, e.g. username@aol.com and I doubt if he's deliberately posted it in any public locations.

ROGER - G0AOZ.

 

[cmeagan656]

It could have been the address book of someone other than the user that had the user's address in it that was hijacked. I've seen it where an address book is hijacked and one of the contacts is used as the "sender" to send to everyone else in the address book.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.

 

[G0AOZ]

Yes, I agree it's possible for it to have been the address book of someone else. However, three things make me believe it isn't.

1. All the list of addressees on several e-mails that have been received are in HIS address book.

2. His SENT BOX at AOL has just been mysteriously wiped clean of all messages.

3. He had an infection on this same machine of the Hupigon virus at the turn of the year. I disinfected it, zapped out all Restore Points etc., and up until last night everything was fine.

His machine is now on the bench here. However, after multiple scans of his hard disk there is no sign of the Hupigon virus. I did find the TR/Dropper.GEN trojan which is known to mess with e-mail I believe, although not sure if it does the same kind of thing as Hupigon.

So to my next questions... Is it likely that the original spoofer has 'restarted' operations using his original address book some nine months after the first event. Or is the TR/Dropper.GEN likely to be now doing this evil deed?

ROGER - G0AOZ.

 

[BadBigBen]

There is another possibility which you have not taken into consideration.

In that the AOL account may have been compromised, and not the OS locally...




Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[cmeagan656]

Does the user have an iPhone that he uses to access his e-mail with?

The reason I'm asking is that there is a similar situation posted in the e-mail issues forum. The differences are that the items still appear in the sent items folder and are involve yahoo.com.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.

 

[G0AOZ]

Don't think he has an iPhone, but as you say, there are distinct similarities between this and Goom's posting.

B-B-B I'm thinking this is the more likely cause. User is already dealing with the password issue. Whilst the trojan dropper and and its subsequent debris has now been eliminated, I suspect in this case it was probably a red herring...

ROGER - G0AOZ.