This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Viral Addon Installed without permission?

  • 1 reply
  • 1 has this problem
  • 1 view
  • Last reply by Toad-Hall

more options

Platform: Windows 7 Up to date Email: Thunderbird 31.6 Virus Tool: McAfee up to date Payload: It may have been dormant for two weeks: A client receieved a virus in the form of soo attached Report.zip which contained a virus. The virus disabled an upto date McAfee Anti Spam addon and install an addon called ???Client_1. This then read the collected addresses and built emails to propagate adding the emails in sent items. The add-on likely had built in error detection in that it attempted to send 96 emails as bcc which errored on send and it changed to 95 (also failed with invalid email), It then tried 22 and succeeded. It was detected atthis point after the user noticed the errors.

The payload was not detected by McAfee or AVG but as an exe in a zip clearly contains email dll's from microsoft.

Remedial Steps: Take Thunderbird off line. Examine addons. Remove weird Add-On and disable McAfee anti spam (as it did nothing) Export Address book. Delete Addresses. Restart Thunderbird Turn on-line. Check network bytes. Fix emails Apologise on resend (without virus) Tell you guys and AVG/McAfee

You should NOT be able to have an addion without permission. Updates great but initial NO.

Good luck and keep up the great work. I have the file if you want to add it to a vm to see the addon (sorry I did not keep it).

Cheers. Arvid.

Platform: Windows 7 Up to date Email: Thunderbird 31.6 Virus Tool: McAfee up to date Payload: It may have been dormant for two weeks: A client receieved a virus in the form of soo attached Report.zip which contained a virus. The virus disabled an upto date McAfee Anti Spam addon and install an addon called ???Client_1. This then read the collected addresses and built emails to propagate adding the emails in sent items. The add-on likely had built in error detection in that it attempted to send 96 emails as bcc which errored on send and it changed to 95 (also failed with invalid email), It then tried 22 and succeeded. It was detected atthis point after the user noticed the errors. The payload was not detected by McAfee or AVG but as an exe in a zip clearly contains email dll's from microsoft. Remedial Steps: Take Thunderbird off line. Examine addons. Remove weird Add-On and disable McAfee anti spam (as it did nothing) Export Address book. Delete Addresses. Restart Thunderbird Turn on-line. Check network bytes. Fix emails Apologise on resend (without virus) Tell you guys and AVG/McAfee You should NOT be able to have an addion without permission. Updates great but initial NO. Good luck and keep up the great work. I have the file if you want to add it to a vm to see the addon (sorry I did not keep it). Cheers. Arvid.

All Replies (1)

more options

Many thanks for posting info on this virus.

As with any attachment, you should not open and run attachments that do not come from a trusted source.

In this instance, the person must have saved, opened, unzipped and run the exe file in that attachment without checking it out. Even if the email address seemed familiar, did the alledged sender really send it or did the real sender abuse another persons email address?

Usually, you would get a pop up asking permission to run a program, but that depends on computer settings, running as administrator etc.

UAC info which may be of assistance regarding permission for programs to run: http://www.7tutorials.com/uac-why-you-should-never-turn-it-off