Mac Virus that sends e-mails from you?

[wade moore]

I'm about to do a Google Search - but is anyone (*coughAlanTcough*) aware of a virus on the Mac that will send e-mails from you to your entire contact list? I know back in the day when I worked at a University we ran into this on the PC in various forms. I have little-to-no Mac experience, but this appears to have happened to my wife. It's either that or her gmail account was hacked, but I don't think that is it since there is nothing in her sent items. She uses the Mac web client to check her gmail.

Any help would be much appreciated.

The message go out with a blank subject line and then some semi-legit web domain but with a bogus page on that domain.

[wade moore]

Dola:

One of my first searches got this:

Quote:

Answer
Macs do not get virus (very very rare)
If an email has a virus in it - and you forward it to a Win PC user, they can get the virus.
If a PC user that has your email address in their addressbook gets a virus that sends email out, that virus can 'spoof' (substitute) the real sender with one of the email addresses.
So, the virus gets sent with YOUR email address as the sender (EVEN THO you are not the sender).
This goes to an email server that sees the virus and sees that you sent it (even tho you did NOT).
The email server sends you an email saying you are sending viruses, even though you are not.
The only solution is to send an email to EVERYONE that has your email address AND a Windows computer and tell them to check and repair.

Based on the specific combination of e-mail addresses that this e-mail appears to be sent to, I do not believe this is what happened. It was sent to my work e-mail address, some specific common friends, and members of a club my wife is in that has no relation to the other two groups.

So - I'm pretty sure this is specific to my wife's computer.

[Alan T]

Well, first of all, the second post where you had the quote that macs do not get viruses is completely false. There are known viruses for macs, unix, smart phones, etc. It is less common that macs get viruses primarily because less are written for macs. There still are some that exist, and it is possible there could be more in the future.

That said, I do not know all of the mac viruses that are out there, I don't really take much interest in mac viruses because I don't really use them regularly (Only use them when looking at mac specific network enhancements for my company). I do know the majority of mac viruses require some user intervention though (The traditional pop up message saying your whatever software is out of date, please download and install this one instead --- where you then install a virus unknowingly onto your mac).

The most recent mac virus I remember off the top of my head is a dns changer. I do recall the type of virus you refer to for PC many times, but not sure if MAC has had one like it.

It is possible someone did hack her gmail account password and then use some other program to send mail from her gmail account and the sent messages would not show up. You could probably learn something if you look at the message header of the sent emails. it should tell you how the mail was sent most likely and help you narrow down where the problem occured.

[samifan24]

The bogus email isn't from LiveHealthClub.com is it?

Someone in my family recently accidentally spammed their entire contacts list when they received an email from a relative that appeared as an invitation to join that site. When you click "not interested," it runs a script that spams everyone in your address book. Since it just happened to someone I know I thought that might be what happened here.

[wade moore]

I can't figure out how to see the full message header in either gmail (my personal account that she sent to) or Outlook on my work side (it may be stripped, dunno).

The gmail does have this at the bottom:

mailed-by		gmail.com
signed-by		gmail.com

Ok - found it in Outlook (I removed all e-mail addresses and replaced with something else so it would make sense but not give out addresses):

Microsoft Mail Internet Headers Version 2.0
Received: from naeanrfkeb01v.nadsusea.nads.navy.mil ([10.16.20.105]) by naeanrfkez08v.nadsusea.nads.navy.mil with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 22 Apr 2010 04:40:39 -0400
Received: from naeanrfkeb10v.nadsusea.nads.navy.mil ([10.16.20.113]) by naeanrfkeb01v.nadsusea.nads.navy.mil with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 22 Apr 2010 04:40:39 -0400
Received: from naeanrfkeg06v.nadsusea.nads.navy.mil ([10.16.20.62]) by naeanrfkeb10v.nadsusea.nads.navy.mil with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 22 Apr 2010 04:40:39 -0400
Received: from NAEANRFKAX08.NADSUSEA.NADS.NAVY.MIL ([10.16.0.46]) by naeanrfkeg06v.nadsusea.nads.navy.mil with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 22 Apr 2010 04:40:38 -0400
X-AuditID: 8aa20595-a98d4bb000000d36-8c-4bd00c8f6ad5
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157])
by NAEANRFKAX08.NADSUSEA.NADS.NAVY.MIL (By accessing this system, you are consenting to this monitoring.) with ESMTP id 7584551400B
for <[email protected]>; Thu, 22 Apr 2010 08:45:03 +0000 (GMT)
Received: by fg-out-1718.google.com with SMTP id e21so197760fga.16
for <[email protected]>; Thu, 22 Apr 2010 01:40:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:received:message-id
:subject:from:to:content-type;
bh=GOsK7j4tM4VWWjzQn020tNATJmavKsuLIIQ/1qsCsHQ=;
b=Yk0JDn7gC1Zx+aEonwvDQ3UGCs4yG9/zOUstWfgdzvDRZQAZ1+0dn0KQMBsHAvxVoK
wmJQ3sVoTiwxApWt5Lr0E6MwlneOOotjG0bhD28C9wbVwdAQi2RX9vO9kT+O/GTKyIfK
pA4EDxGCzeeJW1CfN3CDeRFNBp7QRf/Mq21IU=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=NZLscr82G6wogPhlIoCBJkAFUnBqmkXXEQYTkiDWuaJu0yTDvcrk/J+pkV96Oo0uxW
1bpGNQKBLPPL9OQSOzyqLEobLckd/H25YhU7mYLBuSu/fTSXMWVkvjRT+IqZIC08TKWG
aLqxB/lAKOlZy6WpawRKTKOehYuM4JsFt0hSo=
MIME-Version: 1.0
Received: by 10.223.112.13 with HTTP; Thu, 22 Apr 2010 01:40:30 -0700 (PDT)
Date: Thu, 22 Apr 2010 03:40:30 -0500
Received: by 10.223.92.136 with SMTP id r8mr379933fam.40.1271925631003; Thu,
22 Apr 2010 01:40:31 -0700 (PDT)
Message-ID: <z2rae0de4ae1004220140t74fe590[email protected].com>
Subject:
From: Mrs.Moore <mrs.moore@gmail.com>
To: bunch of e-mail addresses
Content-Type: text/plain; charset=ISO-8859-1
X-Brightmail-Tracker: AAAAAhPYxLgT2ZbG
Return-Path: mrs.moore@gmail.com
X-OriginalArrivalTime: 22 Apr 2010 08:40:38.0815 (UTC) FILETIME=[7C1122F0:01CAE1F7]

[wade moore]

Quote:

Originally Posted by samifan24

The bogus email isn't from LiveHealthClub.com is it?

Someone in my family recently accidentally spammed their entire contacts list when they received an email from a relative that appeared as an invitation to join that site. When you click "not interested," it runs a script that spams everyone in your address book. Since it just happened to someone I know I thought that might be what happened here.

Nope - it appears to have grouped into groups of 5-10 e-mail addresses and uses different domains for the link in each spam message.

[wade moore]

For better or worse (worse it appears) there is NO virus protection on her MAC.

I knew there were viruses, but also rare - so I just didn't bother with it.

[wade moore]

Hm.

I have to stand corrected.

This IS in her gmail sent items (just didn't synch to the Mac E-mail Program).

This may be a simple gmail hacking.

[wade moore]

Tri-Dola - I already changed her PW this morning fwiw.

[wade moore]

To anyone reading this:

Regardless, I'm installing an anti-virus app on her MAC. Any recommendations?

[Alan T]

Looking at those headers, it does appear to have been sent through gmail.

I would definitely assume password hack here, but the question is how did they hack the password? Usually that is through some other program or hack (not necessarily her mac if she logs in from other places too).

I dont think there is enough information here to say the mac is clean, but it is not uncommon for people to have keyloggers that intercept gmail passwords

[wade moore]

Quote:

Originally Posted by Alan T

Looking at those headers, it does appear to have been sent through gmail.

I would definitely assume password hack here, but the question is how did they hack the password? Usually that is through some other program or hack (not necessarily her mac if she logs in from other places too).

I dont think there is enough information here to say the mac is clean, but it is not uncommon for people to have keyloggers that intercept gmail passwords

99% of her access to gmail is through the Mac. The only other access is when I access the account for her through my computer or my work computer, which has not happened in quite awhile (at least a month). So far none of my accounts have seen a problem, but I guess I should change passwords just in case. This work machine has Symantec on it, but it's rather old. My home machine has AVG on it.

[Alan T]

Quote:

Originally Posted by wade moore

To anyone reading this:

Regardless, I'm installing an anti-virus app on her MAC. Any recommendations?

I know some of the major AV vendors also have mac versions too. I don't honestly know which ones are good or not though. The only free mac AV that I have heard of is ClamAV, but I don't know if that is any good either.

I know common belief in the past was you really only needed mac antivirus to protect other PC users from infected files that you might send on which wouldn't really hurt your system. That for the most part is likely still the case, so I don't want to panic you to think that the mac is the likely case here. If I had to guess I'm betting it more likely to be a password hack than a mac exploit, I just can't say for sure.

[wade moore]

Quote:

Originally Posted by Alan T

I know some of the major AV vendors also have mac versions too. I don't honestly know which ones are good or not though. The only free mac AV that I have heard of is ClamAV, but I don't know if that is any good either.

I know common belief in the past was you really only needed mac antivirus to protect other PC users from infected files that you might send on which wouldn't really hurt your system. That for the most part is likely still the case, so I don't want to panic you to think that the mac is the likely case here. If I had to guess I'm betting it more likely to be a password hack than a mac exploit, I just can't say for sure.

I'm not panicking by any stretch - so that's good. I'm just realizing I've been complacent. While the IT support I do now is application specific, in the past I have done broader IT support so I've dealt with this stuff in the past.

It just opens my eyes that I need to not be lazy and assume it's a mc so it will be fine.

[lordscarlet]

My wife had a similar thing happen (as I told you ) and it was when she hadn't opened her home computer for like a month. And her work machine is locked down. So... who knows. I think sometimes there can be a keylogger that holds on to the information for a while and then at a later date makes use of the informaiton.

[SteveMax58]

This happened to my wife (old aol address) and my wife's grandfather (at&t I believe) recently.

Exact same thing...blank subject line, some spam link in the message (different in each message).

I assumed it was just a password intercept so I changed her password. Haven't had anything happen since.

[SteveMax58]

dola

Meant to add...neither of them have a Mac.