Not what you were looking for? Ask our experts!
Reply
Regular Contributor
imbart
Posts: 170
Registered: ‎02-25-2009

Hotel Reservation Scam Email with Virus

Over the last few days I have received two scam emails with attachments purporting to come from "booking.com" which is a genuine travel agency that the scammers are pretending to be.  As I have not made any hotel reservations and have never dealt with booking.com I deleted both but not before I peeked into each email without opening them via "properties"-"details"-message source" and after googling found it to be this worrying scam:

 

http://nakedsecurity.sophos.com/2012/05/31/hotel-booking-confirmation-emails-aim-to-infect-your-comp...

 

There are several other similar results and warnings about this. If you read the article which is from Sophos It would seem that opening the attachment releases a dangerous Trojan onto your computer.

 

What I would like to know - is Norton up to speed on this and would it have protected me if I had opened the attachment which is said to be a .ZIP file ?   If not will it please look into it now.

 

If I get another one how do I forward it safely to Norton for investigation?

dickevans
Posts: 12,344
Registered: ‎04-08-2008

Re: Hotel Reservation Scam Email with Virus

 

Thanks for the heads up

http://www.symantec.com/business/security_response/submitsamples.jsp or

https://submit.symantec.com/antifraud/phish.cgi

are the submission sites

I'll have to pass on your main question. That's one that only Norton can answer

Dick
Win7x64 SP1 current NIS V21
Regular Contributor
imbart
Posts: 170
Registered: ‎02-25-2009

Re: Hotel Reservation Scam Email with Virus

Many thanks, Dick.  I've been thinking that if I get another spurious email I shall probably just delete it because I don't want to play around with the malicious file and if I upload the message source part of the email as a copy and paste to Symantec it may not be enough.  Sophos seem to be ahead of Norton on this.  A Sophos search on the two Trojans named in the Sophos article bring up results with all characteristics.

 

Win XP SP3 IE 8 Outlook Express 6.

dickevans
Posts: 12,344
Registered: ‎04-08-2008

Re: Hotel Reservation Scam Email with Virus


imbart wrote:

Many thanks, Dick.  I've been thinking that if I get another spurious email I shall probably just delete it because I don't want to play around with the malicious file and if I upload the message source part of the email as a copy and paste to Symantec it may not be enough.  Sophos seem to be ahead of Norton on this.  A Sophos search on the two Trojans named in the Sophos article bring up results with all characteristics.

 

Win XP SP3 IE 8 Outlook Express 6.


Hi,

I can't comment where Norton is on the issue, I don't know. I would expect that they are aware of it and have not yet finished testing the 'fix'. I'd rather they be a bit late than break my security protection in a rush to publish.

Stay well and surf safe

Dick
Win7x64 SP1 current NIS V21
Regular Contributor
imbart
Posts: 170
Registered: ‎02-25-2009

Re: Hotel Reservation Scam Email with Virus

The bad people have sent me two more hotel reservation emails purporting to come from Booking.com (which they haven't).  That's four hotels so far that I am supposed to heve booked.   Since my last warningese Norton have so far classed these dangerous emails as spam. I hope they are working on the protection needed if someone opens these .zip attachments out of curiosity or mistake. 

Regular Contributor
imbart
Posts: 170
Registered: ‎02-25-2009

Re: Hotel Reservation Scam Email with Virus

I received another fake hotel reservation booking today and when I highlighted the title to delete it without opening it as I did with all the others a Norton alert flagged up and I discovered that the virus attachment which is a zip file (showing up as "downloader.dromedan")  was in Quarantine where I was informed that the threat had been removed and no futher action was required.  I hadn't opened anything and wondered why it had been saved in Quarantine instead of being deleted which I was trying to do with the email in the first instance - why would I need an email virus attachment anywhere on my computer? Norton didn't make It  clear how to remove it from Quarantine (and my computer altogether) but following several Google sources of help I chose "Remove fron history" from the three options provided the others being "restore" or "submit to symantec".   I am assuming it has gone completely now as NIS and MBAM scans didn't find it but shouldn't Norton have deleted it at source?

SendOfJive
Posts: 10,754
Kudos: 4,794
Solutions: 776
Registered: ‎02-07-2009

Re: Hotel Reservation Scam Email with Virus

Hi imbart,

 

It is not really important when a threat is detected, only that it is detected.  You don't say if you have Norton Email Scanning enabled, or whether you have the Outlook Express Preview Pane turned on - but either of those can have an effect on exactly when Norton first detects a threat in an attachment.  Norton cannot detect a malicious attachment at its source, because Norton is only capable of scanning files on your hard drive, not on someone else's server.  In this case, it sounds like the threat may have been detected when you accessed the attachment by highlighting the message.  The threat was completely removed from your PC.  Quarantine simply keeps an inactive, compressed copy of the file so that it can be recovered if necessary (more important for system files than email attachments, obviously).

Regular Contributor
imbart
Posts: 170
Registered: ‎02-25-2009

Re: Hotel Reservation Scam Email with Virus

Thanks for explaining that, SendOfJive.  I do have Norton Email Scanning on but don't show the Outlook Express Preview Pane. It is safer to use one click to highlight the message header (which enables "delete" if necessary) and I use the double click to open in a separate window. Norton flagged an alert on the one click highlight with the message and attachment still unopened.  I thought that would be the best point for Norton to delete instead of Quarantine for me to delete.  I can see the reason files are quarantined but as you mention who wants to restore an email virus attachment.  Just my thoughts ... but thanks again for your interest and reassuring reply.