ClamX found a virus in a file called mbox

Question

ClamX found a virus in a file called mbox

I ran ClamXav for the first time yesterday and it found 10 files with problems. 9 of them were associated with individual email files (where file extension = .emlx) which I just deleted. But one of them is associated with a file called mbox. That's its name, not its extension, it has no extension. And it is 20.4 MB in size.
Unable to locate it with Spotlight, I quarantined it, but I am wondering if it is safe to delete it. Are mbox files really folders that contain a group of mail type files? This one does not appear to be a folder.
Thanks for any help you can provide

MacBook Pro 15" Core Duo 2.16 GHz, Mac OS X (10.6.3), iPhone 3G, iPod 5G, AEBS, AEX, Time Capsule 500GB

Posted on May 16, 2010 7:40 AM

Reply

Answer 1

thomas_r.

Level 7

32,071 points

May 16, 2010 8:10 AM in response to Priscilla Greene

Does clamXav not tell you where the file is somehow? If so, where is it?

As to concerns regarding viruses, those would be Windows viruses that were e-mailed to you. (I get spam all the time with Windows viruses attached.) Windows viruses cannot hurt you, though of course you wouldn't want to send them on to a Windows user. For more about Macs and viruses, see my [Mac Virus guide|http://www.reedcorner.net/thomas/guides/macvirus>.

Reply

Answer 2

May 16, 2010 8:23 AM in response to Priscilla Greene

AFAIK "mbox" is a sort of format that is used for a mailbox. It should act like a file, and you should be able to read it, more or less, with a text editor. Eudora for instance stores its mail in mbox format. Thus the "In" file would include all emails that are currently residing in the "In" mailbox. The advantage is that an mbox is completely portable--pretty much any email client can read it. So you could add a Eudora mailbox to a Linux system and there would be an email client for Linux that could read it.

Frankly, I don't know what would have created something that is named mbox. If you do a Command-F search with Spotlight, and from the criteria drop-down menu go to Other and select System Files, then select include (and what moron made the default "don't include"....jeez!) you should be able to find it. You could then try opening it with TextEdit, which will open mbox format files. You might then be able to determine just what email program created it, based on the content.
Francine

Francine
Schwieder

Reply

Answer 3

Kurt Lang

Level 9

70,625 points

May 16, 2010 9:15 AM in response to Priscilla Greene

The only mbox format I know of is if you drag and drop a folder of emails out of Entourage to the desktop. For instance, if you grab the Sent Items folder in the left column and drop it on the desktop, the file created there will be Sent Item.mbox.

At some point, you may have accidentally drag and dropped an Entourage folder onto the desktop, or into an open file window, which would be why you don't see it right out front. Which would mean ClamX is detecting a Windows virus within the .mbox file.

Reply

Answer 4

May 16, 2010 10:01 AM in response to Francine Schwieder

I should have mentioned some other things:

- I am using Mac Mail program
- Unfortunately, Francine, the file is no longer in its original location because I set ClamXav to move suspicious items to a folder within my Documents folder I set up called "Quarantined". Now I wish I hadn't set ClamX to move the files automatically so I could trace it. Can't find any kind of report or log that shows the original location.

My mail program seems to be behaving normally even though this suspicious file is no longer located in my User>Library>Mail folder. Its modified date is in 2006, which probably means it doesn't have anything too critical in it. But still...

What makes me wonder is that its File Type = "Document", and the other mbox files on the computer are the folders in the Mail program where the extension = "mbox" (for example: INBOX.mbox, Deleted Messages.mbox, etc).

My only concern is that given its 20 MB size, the quarantined file may have tons of pre-2006 emails in it and disaster could fall upon me if I delete it.

Guess I could make a copy of it somewhere prior to deleting it, just to be safe. The Mail program is a little tricky when trying to restore, however.

Reply

Answer 5

thomas_r.

Level 7

32,071 points

May 16, 2010 10:39 AM in response to Priscilla Greene

Some of the .mbox folders in ~/Library/Mail/ will contain an "mbox" file. Problem is, most (on my system, at least) don't. To figure out which one it came from, you probably could look in every single mailbox in Mail and see which one doesn't work. Put the mbox file back inside the .mbox folder corresponding to that mailbox.

Reply

Answer 6

May 16, 2010 11:38 AM in response to Priscilla Greene

Well, if it is now in a place where you can get at it, try opening it with TextEdit. You should be able to see the individual emails, and also the attached virus (it will look like some sort of gibberish). Delete the gibberish and then resave as a regular text file. You will then still have a sort of archive of your old email (if that is indeed what it is).
Francine

Francine
Schwieder

Reply

Answer 7

May 16, 2010 3:50 PM in response to Francine Schwieder

Great idea - now I see what they are (a group of emails from a span of 4 days in June 2006). Looks like the virus arrived with with an email from FedEx. Something seems ironic about that.

I am still perplexed as to why Mail named this just "mbox". The other nine infected files were individual emails with normal names like 48376.emlx which were easy to locate and blast. I'll never know the answer.

Marking this as "solved". Thanks Francine and everyone else.

Reply

Answer 8

The hatter

Level 9

61,041 points

May 16, 2010 3:58 PM in response to Priscilla Greene

If you look up security reports on the web you'll see that UPS, FedEx have been new and popular phising and malware means to get people to open and click on links. iTunes "gift" cards are another with a nasty payload. Login and give your account info and bam! your CC# or other is hit and charged.

Reply