Virus "link" in e-mail?

[Sanjaya]

A the son of a friend of mine had his computer majorly screwed with when
he clicked a seemingly innocuous link in a spoofed email.

Holding the cursor over the email link shows this is the status bar
javascript:dl('http://www.***search.net/test');

I have substituted asterisks for 3 letters in the fake link.
The email shows what appears to be a real link to
http://www.***search.net/test
but a right click/"copy link" gives the result showing javascript
(that is a paste of what actually copied)

I don't know how to explain it to them properly.
Any suggestions?

The missing letters are a 3 letter word for feline if anyone's interested.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A the son of a friend of mine had his computer majorly screwed with when
he clicked a seemingly innocuous link in a spoofed email.

Holding the cursor over the email link shows this is the status bar
javascript:dl('http://www.***search.net/test');

I have substituted asterisks for 3 letters in the fake link.
The email shows what appears to be a real link to
http://www.***search.net/test
but a right click/"copy link" gives the result showing javascript
(that is a paste of what actually copied)

I don't know how to explain it to them properly.
Any suggestions?

The missing letters are a 3 letter word for feline if anyone's interested.

Well looking at a Google search of the web address it rings some alarm
bells; "adult" sites often serve up viruses, spyware or computer exploits.

What has probably happened is that their email client was told to download
a malicious program from a web site at the above address. It may have
required a user to click on the link or could have had code inside the
email which triggered it.

They should use a more secure email program (Thunderbird has a good track
record so far), should *never* read email in HTML mode and absolutely must
keep their operating system up-to-date with the latest security updates.

HTH

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFETVNV7uRVdtPsXDkRAsASAJ9fF/Ra+tmYOibsPZuHZc1JYejpSQCglAro
/c/rEdswDpHvNUdqPLIb8mQ=
=0bVz
-----END PGP SIGNATURE-----

 

[Sanjaya]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Well looking at a Google search of the web address it rings some alarm
bells; "adult" sites often serve up viruses, spyware or computer exploits.

What has probably happened is that their email client was told to download
a malicious program from a web site at the above address. It may have
required a user to click on the link or could have had code inside the
email which triggered it.

They should use a more secure email program (Thunderbird has a good track
record so far), should *never* read email in HTML mode and absolutely must
keep their operating system up-to-date with the latest security updates.

Thanks.