Eudora mailbox is quarantined after a worm is detected

 

Update:
21 JUN 00 - Norton AntiVirus cannot quarantine Eudora's INBOX when it resides on the mail server. Therefore, Eudora should be configured as an IMAP rather than POP client. When configured as IMAP and a worm is detected, Norton will quarantine the effected file(s) but not the INBOX.

Situation:
Norton AntiVirus (NAV) has detected a worm, such as Wscript.Kak.Worm, within a message that is contained your Eudora Inbox (In.mbx). The entire Inbox has been placed in NAV Quarantine.

Solution:
NOTE: This document refers to Wscript.Kak.Worm, but this problem could be seen with other worms as well.

VBS.KakWorm is a worm that spreads using Microsoft Outlook Express. The worm attaches itself to all outgoing messages using the Signature feature of Outlook Express. Even though this worm cannot be run in email programs other than Outlook Express, if you receive an infected email and then forward it, the worm will be forwarded along with it. To prevent this, Norton AntiVirus (NAV) will detect the worm, and, because the Eudora Inbox is a single file, the Inbox file (In.mbx) is quarantined. If you then download more email, Eudora will then recreate the missing Inbox.

To resolve this problem, you need to copy any messages that you want to save to another mailbox, and then delete the In.mbx and In.toc files.

Please follow these steps:

1. Start Norton AntiVirus and click Disable. The message to the left changes to " Auto-Protect is disabled."

2. Start Eudora, and check to see whether your Inbox has been recreated. If it has not, go on to the next step. If it has, and if it contains any new mail that you want to save, copy the messages to another mailbox.

3. Exit Eudora.

4. Using Windows Explorer, browse to your Eudora folder.

5. Locate and select the following files, and then press Delete:

In.mbx
In.toc

NOTE: The In.mbx will only be present if your Inbox was recreated.

6. Start NAV, and then click Quarantine.

7. Select the quarantined Inbox

8. Find the infected message or messages:

1. Start Eudora, and then open the Inbox.
2. Open each message, and examine the signature area of each one. Look for a signature containing text that refers to "C:\WINDOWS\kak.htm" (Or a similar message.) For example, instead of a normal signature such as Sincerely, Bill Andrews, you see C:\WINDOWS\kak.htm
3. Delete any messages that you find that contain this text.
4. Exit Eudora

9. Start Norton AntiVirus, and then click Enable. The message to the left changes to " Auto-Protect is enabled."

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.