Email.Phishing.Blackhole in Microsoft Office Data Records

inc2022 wrote:

I recently used ClamXav to scan my MacBook Pro and found Email.Phishing.Blackhole in the path Documents/Microsoft User Data/Office 2011/Data Records. Does this affect my Microsoft Office documents in any way ? Can I delete this ?

NO! That will likely delete all your e-mail and perhaps other MS Office date.

For fastest, most efficient answers to questions such as this, please visit the ClamXav Forum. There are specific instructions in "Instructions for identifying infected emails" which will allow you to identify the wording of the message and then you will need to use MS Outlook to find and delete the message in question, but I'll save you some time. You cannot be infectected by simply reading this e-mail, just don't click on any hyperlinks or open an attachment.

The message contains the following sets of words or images:

STAR ALLIANCE LOGO

From: "US Airways - Reservations" <reservations@myusairways.com>

Be advised that there are variants of this infections named "Email.Phishing.Blackhole-2 through -5" so if there is a number at the end then the contents will be much different.

inc2022 wrote:

Thanks for the info ! I identified the wording of the message following the instructions on the forum you referred me to. Unfortunately, I was not able to find any such mail in my Outlook. I must point out that while some of the infected files identified during my scan had a filename ending with .emlx and have path in the Library/Mail/ imap

Never use the Finder, ClamXav or any other A-V software to move these files to the Trash or Quarantine as this will corrupt the mailbox index. Choose "Reveal in Finder," double-click to open and note the date/time and Subject. Close that window and find the same e-mail in Apple Mail to use the delete button to remove it and empty the e-mail Trash if you have elected to move it their.

Email. Phishing. Blackhole has a file name x27_75641.olk1MsgSource and the path is in Users/Documents/Microsoft User Data/ Office 2011 Identities/Main Identity/Data Records. I am just wondering if this is integrated into my Microsoft Office and if there is any chance I can get rid of it.

Sorry, although I use Office 2011 I don't have Outlook, so the only thing I can tell you is that with my setup that directory contains several sub-directories:

Categories

Contacts

Database Headers

Folders

Mail Accounts

Preferences

Recent Addresses

Saved Searches

Schedules

Signatures

I am not sure where you are reading the path from, but I suspect you aren't seeing the full path. If you click on the entry and select "Show Path" or "Reveal in Finder" that might take you to a single file that can be somehow dealt with. If you have closed the window, that same information can be searched for by clicking Open Scan Log. Again, I don't recommend you drag that file to the trash at this time as I don't know how Office deals with missing files.

inc2022 wrote:

I don't think it has anything to do with Mail or Outlook.

Again, I'm just guessing but since the infection name identifies it as "E-mail" and with a file extension of .olk1MsgSource it certainly sounds to me like it has something to do with Outlook "olk" and e-mail "MsgSource" but I can't seem to find anything like that documented on the Internet.

If the file isn't very big, then perhaps we can learn something by extracting any text it contains.

Open the Terminal app (found in /Applications/Utilities/). Triple click the following and type Command-C to copy it to the clip board then paste it into the terminal window after the "$ " prompt using Command-V.

strings ~/Documents/Microsoft\ User\ Data/Office\ 2011\ Identities/Main\ Identity/Data\ Records/x27_75641.olk1MsgSource

If it tells you the file doesn't exist, then I don't have the exact information about the path and you'll need to try it in a different manner.

Copy and paste the results back here. Note that their may be user data in the results (e.g. your e-mail address) which you should delete from the entry.

if you know whether I can delete it or not that would be great .

I will not be telling you that as I never tell a user to do anything that I haven't tested for myself. Since I don't user Outlook, don't have any files with names like that and can't find anything about them, you'll have to hear that from somebody else or make up your own mind after we've discovered all we can about it.

I will tell you that this file is harmless to you unless you use it to send privacy data to someone. My guess is that it's an attachment to a message that may or may not still exist in an Outlook mailbox and could well be Windows only.

inc2022 wrote:

Hi

I tried the strings~/ ...you suggested and it says 'No such file or directory' .

Then you haven't given me enough information on the path. Either:

- In ClamXav open the Scan Log by clicking the icon on the tool bar

- When the "clamXav-scan.log" window opens, you will only be looking at the only the most recent results

- Select Find->Find from the Edit menu or type Command-F

- Type "FOUND" in all caps and without the quotes in the Find box

- Uncheck the "Ignore case" box and hit enter

- Click the "Next" button or type Command-G until you find what you are looking for

- If it doesn't show up in the most recent results, use the "▲ Earlier|" button in the lower right corner of the window to move back through the log.

- Then copy and paste the entry for that file back here.

or

The next time you scan follow these instructions so that I know the exact path to the file and can reconfigure the strings command for you:

To get detailed infomation on what ClamXav has found, click in the top pane of the ClamXav window showing the Infection / File Name / Status to make sure it's in front and type Command-A, Command-C (or choose "Select-All", "Copy" from the "Edit" menu) to copy the information to your clipboard, then come back here and type Command-V or choose "Paste" to show us what was found where.

You can substitute "~" for "/Users/<yourusername>" if you are sensitive to revealing that.

It's been so long, I forgot what we were doing. Looks like we were trying to find out if what text that e-mail contains using Terminal.

So again Open the Terminal app (found in /Applications/Utilities/). Triple click the following and type Command-C to copy it to the clip board then paste it into the terminal window after the "$ " prompt using Command-V.

strings ~/Documents/Microsoft\ User\ Data/Office\ 2011\ Identities/Main Identity/Data\ Records/Message\ Sources/0T/0B/0M/59K/x27_59278.olk14MsgSource

Copy and paste the results back here. Note that there may be user data in the results (e.g. your e-mail address) which you should delete from the entry.

Now for the second one:

strings ~/Documents/Microsoft User Data/Office\ 2011\ Identities/Main\ Identity/Data\ Records/Message\ Sources/0T/0B/0M/77K/x27_77299.olk14MsgSource

As far as

I sent an email last week with an attached Microsoft Word document and the receiver told me it was infected with something called bloodhound.

Without the full name of the infection and what A-V software found it, I can't do much. There have been over 200,000 files uploaded to VirusTotal.com where some sort of "bloodhound" infection was detected by one or more A-V scanners. By comparison I could only find three with "Email.Phishing.Blackhole" and only ClamXav detected the, which makes me a bit suspicious. So I don't think there's any connection, but can't be certain.

The definition for your infection was added to the ClamAV® database back in April, 2012, so it's not anything new. I did find one other user in the ClamXav Forum that reported finding it here.

I think that's enough until we see what's contained in those files.

Sorry. Now that I've had a chance to configure a mockup on my computer and test them I see what I left out.

I notice that the actual file name has changed over time. Not certain why that would be, but I hope we don't have a moving train here.

So the revised commands are:

strings ~/Documents/Microsoft\ User\ Data/Office\ 2011\ Identities/Main\ Identity/Data\ Records/Message\ Sources/0T/0B/0M/59K/x27_59278.olk14MsgSource

and

strings ~/Documents/Microsoft\ User\ Data/Office\ 2011\ Identities/Main\ Identity/Data\ Records/Message\ Sources/0T/0B/0M/77K/x27_77299.olk14MsgSource

inc2022 wrote:

So if its travelling, then do I have to run the scan again and look for the contents of the file following the same procedure after changing the path to whatever it turns out to be ?

Looks that way.

Let's try this just to make sure that I've got the first part right:

ls -lR ~/Documents/Microsoft\ User\ Data/Office\ 2011\ Identities/Main\ Identity/Data\ Records/Message\ Sources/0T/0B/0M/

then go ahead and run the scan on ~/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/

After giving it some thought over-night, I think this would all be much easier if I talk you through something a little more complex, but should save a lot of time in the process.

• After completing the scan, do a right-click / control-click on an entry and select "Reveal In Finder".
• When the window opens, arrange things so that you can see both the file and an open Terminal window.
• In the terminal window type "strings " without the quotes and note the single space after the word.
• Now click on the infected file in the Finder window and drag it to the Terminal window, releasing it there to copy the path to the file.
• Now click on the Terminal window and hit return.

Do the same with the second file.