posted on April 17, 2004 11:18:47 PM new
About 2 weeks ago I started a thread about a group trying to deposit trojans onto the hard drives of Ebay sellers via the "ask seller a question" link. I've since received 2 more of these phony inquiries and I saved one to show everyone what it looks like. This is a cut and paste of the actual email:
Hi, please add another $19 for shipping to Nebraska.
[email protected] wrote:
Hello, what is the shipping cost to Saskatchewan?
--------------------
Question from: eefluphet
Title of item: FUTURAMA SEASON 4 - FOUR DVD SET
Seller: theckelou
Starts: Apr-14-04 17:35:06 PDT
Ends: Apr-21-04 17:35:06 PDT
Price: Starts at $108.60
To view the item, go to: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=320989275
Visit eBay, The World's Online Marketplace TM at
http://www.ebay.com
Do you Yahoo!?
Yahoo! SitefBuilder - Free, easy-to-use web site desoign software
Warning!! DO NOT put the URL in this email into your browser. It redirects to a url named: http://68.99.108.238:6688 which will promptly infect your computer with the trojan Exploit-MHTRedir.gen. This appears to be a new way to harvest personal info from your computer or to install a back door. I haven't looked up the actual purpose of this trojan, so I can't say for sure what it's intentions are. I just wanted everyone reading this board to be very careful with these inquires that arrive through Ebay's servers. If it's not your auction, DELETE IT!!
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on April 18, 2004 04:55:43 AM new
This has been going around for a while now. My anti-virus software catches all of these very well. By now, hopefully everyone knows to update their software regularly. Mine automatically updates. Thank goodness because I'd forget.
posted on April 18, 2004 08:11:37 AM new
come to think of it,i did receive such an email and click on the link to ask what item are they talking about.
lately i have more popup pages and all the sites i visited in the past which remember my password and logon id,no longer remember them and i have to key them in everytime i go up to the site.
this is not funny,these sites are yahoo,bank of america and wells fargo .
-sig file -------we eat to live,not live to eat.
Benjamin Franklin
posted on April 18, 2004 08:15:26 AM new
The URL looks like it goes to an eBay auction...is the trojan imbedded in the auction or is it a dummied URL? Would anyone who puts that auction # in eBay search catch the nasty trojan?
I got a couple of these too..but I THINK I deleted them when I realized they weren't about my auction..I HOPE so anyway!
**********************************
Sig files are too much trouble!
http://stores.ebay.com/Moody-Mommys-Marvelous-Postcards
[ edited by neglus on Apr 18, 2004 08:17 AM ]
posted on April 18, 2004 09:30:28 AM new
now that's interesting. the ebay link takes you to ebay invalid item.
however the http://68.99.108.238:6688 does take you to a website that DOES put a trojan on your computer.
I didn't mean to actually try it for real but I was chasing down the number with sam spade and it opened the page and norton immediately popped up with warning trojan removed.
posted on April 18, 2004 11:25:10 AM new
Neglus...It's a bogus auction number. Search through Ebay brings up nothing. I'm assuming the seller id and the bidder id are bogus also as they were in the previous one I received. Also, in the first one, the link went to a bogus "invalid item" page which I saw briefly before McAfee's notice popped up and deleted the trojan.
Stop...You need to get right over to TrendMicro's website and run Housecall now. If you clicked on a link in one of these, you probably have a Trojan on your computer. It deposits the trojan in your temporary internet files folder and if it's like many trojans, it activates the next time you boot your computer. http://www.trendmicro.com/free_tools/
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on April 18, 2004 01:25:03 PM new
ok,i ran spyware and it showed me some software -most come with my pc ,but a few are to track where i go and increase popup windows,i think they are called gators??
i deleted those.
lately i am also having problem staying online-if i walk away from my pc for 20 minutes,the screen went dark and i cannot click my mouse to bring back the screen,i have to shut down my pc and restart,any idea how to fix it??
or is this old mother getting old and tired after 5 years?/
-sig file -------we eat to live,not live to eat.
Benjamin Franklin
posted on April 18, 2004 01:44:20 PM new
Stop...The spyware software won't help if you have a trojan. You need to run an up to date virus software to detect and remove any virus that may be on your computer. Go to the link in my post above and they can scan your hard drive remotely to detect and remove any virus you may have. You also should look into getting McAfee on line through AOl. It's very effective and automatically searches for and installs the latest updates every 4 hours.
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on April 18, 2004 04:30:13 PM new
i ran housecall,what you call it and it gave me instructions to delete the BKDR TOFGER.A but it said it cant get into msft windows to delete as other application is using it.
it also suggests that i delete MSERV.
i may have to call AOL and find out how to get rid of it.
this trojan horse keeps track of my keystrokes and download files.
-sig file -------we eat to live,not live to eat.
Benjamin Franklin
posted on April 18, 2004 05:03:45 PM new
stopwhining: STOP!!! Clean your computer out once and for all! Look at the website and the instructions I posted above. those people are very helpful and they know what they are doing.
If you have such programs on your computer such as SPYBOT and/or Ad-aware and the Spyware Blaster you won't ever get these things on your computer in the first place.
I think I read over there today that 40% of people have some kind of trojan on their computer and don't know it.
I have never had any kind of Malware or Spy downloaded onto my computer since installing these.
If you will follow their directions they will almost immediately clean your computer up for you.
posted on April 18, 2004 05:14:15 PM new
I do not use any proprietary software to delete files. I have Norton Security & never open anything with attachments unless I know who it is from. Also Keep abreast of all of the Windows security updates, There have been several lately.
[ edited by sanmar on Apr 18, 2004 05:17 PM ]
posted on April 18, 2004 05:35:23 PM new
sanmar - have you ever run anything like SpyBot or Adaware?
I think 99.9% of the people that have never run one of those two (and ONLY one of those two - ok, if not both) would be very very surprised at what they have on their computers.
It's just not enough to feel safe with your virus protection these days.
My husband is the worst about opening emails and clicking on links that I finally had to search for things that would NOT let this stuff get on my computers or jam my inboxes with spam. Even our relatives...no matter how many times I tell them I don't open attachments, I get 5 emails a day from them that is forwarded 15 times via attachment. It's kind of like AIDS, you know?
Clean it out. Then protect yourself from ever getting it again. It is FREE and relatively painless to run weekly.
But YES - DO your MS updates frequently. That trojan above? MS did catch it early and released an update that would block it from downloading. I have XP, cable and automatic updates. I'm frequently surprised at how often the updates download.
I love it. I used to use Norton, but the eztrust armor also comes with a very user friendly firewall that is virtually blocking out all suspicious activity. It got to a point even with Norton that programs were being automatically downloaded onto my machine. I was lucky enough to get it free for one year. They do have a trial. Couldn't hurt to give it a shot.
posted on April 18, 2004 07:13:18 PM new
Stop...Get the latest version of Spybot Search and Destroy and since you are on AOL, sign up for the McAfee program through them. The first 30 or 60 days will be free and then they will add $1.95 a month to your regular monthly charge if you decide to stay with it. Updates are automatic and you don't have to do anything. Between the two programs, you should be well protected. As soon as the two are installed and your computer is cleaned up, go in and change your passwords on every site you are registered on, especially the banks and Ebay and Paypal.
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on April 18, 2004 07:24:20 PM new
spark,
i did went to your site and followed the scan on hard drive c,thats how they found the bkdr tofger.a embedded in msft windows??
i followed the instructions they gave me on how to rid the file and stop the auto ,but somewhere i cant follow the instrucstion as i cant find certain programs they mentioned .
but i did install the mcafee software.
u know,i dont click on any spam mails,but this one is coming thru ebay,if you sell on ebay and you keep getting question on shipping,you want to know what is going on??
-sig file -------we eat to live,not live to eat.
Benjamin Franklin
posted on April 18, 2004 07:39:13 PM new
Stop..That is correct, it is not coming from any email attachment, it's coming from a bogus site that emulates a legitimate Ebay site. If you will recall a few weeks back a Vendio member posted a link to a legit Ebay auction. It turned out that there was a trojan imbedded in either the html or the image(which was hosted on Vendio). Apparently I was the first one to read that thread and click on the link and I promptly got hit with a Trojan. McAfee cleaned it up but insisted I do a complete scan so by the time I could get back to warn everyone, Ebay had taken the auction down. It's bad enough that a bogus site could pass a trojan, but an Ebay auction is unthinkable. I might add that to Vendio's credit they contacted me via Email after reading that thread, for more specifics so they could make sure they had everything set up correctly to prevent anything nasty from coming through on their image hosting servers.
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on April 18, 2004 07:47:21 PM new
i just got another ask seller a question email,they are sending this with hotmail account and then damn link is clickable.
good thing i look at the item-it is a laptop,it said add 11 dollars for shipping to colorado??
well,thats nice,except i dont sell laptop
-sig file -------we eat to live,not live to eat.
Benjamin Franklin
posted on April 18, 2004 08:04:08 PM new
Do an Ebay search on both the buyer's and seller's id plus the auction number. All three will be invalid. Also, do a mouseover of the link in the email and see what the url really is.
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on April 18, 2004 08:12:46 PM new
The best way to avoid getting taken in by these bogus Ask Seller a Questions emails is to check the auction number BEFORE you read the email. The number is in the subject line.
What I do is look at the last four digits. It's easy to check my auctions to see if it's a legitimate message. If it's not one of mine, I delete it without opening it.
posted on April 18, 2004 08:54:13 PM new
Lucy...Thanks for bringing that point up. I forgot to mention that although the link was to item# 320989275, the subject line was for auction #276739632 (also a bogus number). The biggest tipoff is probably that the subject line began with "RE:" Question for Seller.
Stop...That's the same url as in mine.
If anyone is interested, here are the headers from the bogus email I received:
Return-Path: <[email protected]>
Received: from rly-yg04.mx.aol.com (rly-yg04.mail.aol.com [172.18.180.100]) by air-yg03.mail.aol.com (v98.19) with ESMTP id MAILINYG33-2864080cf3ec3; Sat, 17 Apr 2004 02:32:05 -0400
Received: from cliente-217216014116.uBRSEA01.supercable.es (cliente-217216014116.ubrsea01.supercable.es [217.216.14.116]) by rly-yg04.mx.aol.com (v98.5) with ESMTP id MAILRELAYINYG46-2864080cf3ec3; Sat, 17 Apr 2004 02:31:42 -0500
Date: Sat, 17 Apr 2004 06:29:17 +0000
From: mart bret <[email protected]>
X-Mailer: The Bat! (v2.01)
Reply-To: mart bret <[email protected]>
X-Priority: 3 (Normal)
Message-ID: <1137890262.20040417063417@>
To: [email protected]
Subject: RE: Question for seller -- Item #276739632
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-AOL-IP: 217.216.14.116
X-AOL-SCOLL-SCORE: 1:XXX:XX
X-AOL-SCOLL-URL_COUNT: 1
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on April 19, 2004 05:27:41 AM new
I don't know if it's the way I have AOL set up, but I also received some of these ask seller a question emails...the link WERE NOT clickable...
I use Norton's, SpyBot and SpyWare Blaster (no firewall but do have a wireless router)...interestingly, the only time I have been warned of a NASTY is when I use Switchboard.com (I don't even bother with phonebooks anymore)and I receive a warning EVERY time! Make sure you have something like SpyBot on your PC before you use Switchboard.com!!
**********************************
Sig files are too much trouble! http://stores.ebay.com/Moody-Mommys-Marvelous-Postcards
posted on April 19, 2004 05:32:01 AM new
well,the first one i received the link is not clickable,the one i received last nite is clickable,so improvement improvement.
the sender email addy is a hotmail account.
-sig file -------we eat to live,not live to eat.
Benjamin Franklin
posted on April 21, 2004 07:47:27 PM new
I just received another one of these today, so I forwarded it to [email protected]. Here was their reply:
Hello,
Thank you for writing to eBay regarding the email you received.
We reviewed your report and found that although the message you received
was made to appear as if it had been sent by an eBay user, it was not.
It appears that this email may also contain a keystroke virus. If you
clicked on any of the links in the email, you may have exposed your
computer to this virus.
We are not equipped to determine if your computer is indeed infected
with a virus. If you have not already done so, you should seek out a
virus scanner program to use on your system. I have included a few links
below to get you started in this effort:
As always, it's a good idea to keep your virus scanner up to date with
the most recent virus definitions. If you do not have a virus scanner,
you can run a free virus scan on your computer at:
http://housecall.antivirus.com
Until you are certain that your computer is virus free, you should take
caution in your computer use. In addition, we suggest that you never
open an email or attachment from someone you don't know. You may need to
contact your email provider to disable any automatic downloading
settings. It is advised that you only download attachments in a secure
setting where you have the ability to scan for viruses before actually
opening the attachment. Please take this opportunity to learn about and
protect your computer from viruses from some of the Websites above.
Once again, thank you for alerting us to the email you received. Your
vigilance helps us ensure that eBay remains a safe and vibrant online
marketplace.
Regards,
Ian
eBay SafeHarbor
Investigations Team
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
