The "C" Branch

Jaded commentary on random shit, with an extra helping of cynicism, satire and general contempt for society & Western culture, religion, politics, celebrities, technology, business & more.

How to fix the “New Shopping New Life” Virus

Posted by Chris DeMarco on Sunday, February 8th, 2009 at 8:55 am

Recently one of my clients faced an issue where all email sent to him would be automatically responded to with the following message:

hi:
New shopping new life!
How are u doing these days?Yesterday I found a web of a large
trading company from china,which is an agent of all the well-known
digital product factories,and facing to both
wholesalers,retailsalers,and personal customer all over the world.
They export all kinds of digital products and offer most competitive
and reasonable price and high quality goods for our clients,so i think
we you make a big profit if we do business with them.And they promise
they will provide the best after-sales-service.In my opinion we can
make a trial order to test that.
Look forward to your early reply!

Further, he would also receive the same email from himself after anybody wrote to him.

All the forums and blogs I looked at to try and fix this indicated that it was a virus on the local computer, which it is not. So, I will tell you what really happened and how to resolve it properly.

Since I had just entirely reformatted my client’s computer and put on a brand new antivirus, and since scanning the computer several times before I reformatted it did not find anything, I was fairly confident that it was not a virus installed on the machine. Then, when I read that people using Mac were encountering the exact same issue, my suspicions were confirmed.

So here’s what really causes this. If you have a very insecure password (e.g. a dictionary word), there is a bot that will break your password and insert the quoted text above into both 1) Your email Signature, and 2) Your vacation responder. This way, even if you use an email client (like my client did), the vacation responder will still apply and be responded to all incoming email. I believe the bot is affecting both GMail and MSN/Hotmail accounts as of right now.

Here’s how to fix it.

  • Change your password to something secure.
    No less than 8-10 characters, always use numbers AND letters of both cases. A few symbols make it even better. For example, “shopping” is a terrible password because all a bot has to do is run through every word in the dictionary and it will break right into your email. Try something a little more like g8xQr?aR. I guarantee it’s going to be a heck of a lot more difficult to break that.
  • Remove your vacation responder and signature.
    You’ll need to log in to the web-based version of your Gmail/MSN/Hotmail account to do this, even if you normally use an email client like Outlook or Mail.app. Go to your email settings and clear out all that junk that the bot vomited in there.
  • Update your email client to use the new password.
    Don’t forget to update your email client to use your new email password or you’ll be whining about how that doesn’t work now too.

And, that’s it! No virus running on your computer (at least not causing this one), no malicious hackers sending an email every time you send one…just a little bot that took advantage of your poorly made password. Well, at least now you know for next time.


Be Sociable, Share!

If you enjoyed this post, please consider making a donation by clicking here.

Tagged in:   • email autoresponder virus • gmail autoresponder virus • gmail vacation responder virus • new shopping new life fix • new shopping new life virus • New Shopping New Life!

12 Responses to “How to fix the “New Shopping New Life” Virus”

  1. ken Says:

    so all i have to do is change my password? would anything else be affected on my computer? thanks


  2. Chris DeMarco Says:

    Ken,

    Though I would highly recommend that you perform a scan of your computer for viruses and malicious software, to answer your question, no – this ‘virus’ does not seem to affect your local machine.

    However, to scan for other security risks you might have, I recommend the Windows Live Safety Scan, available for free at http://safety.live.com

    Good luck, and please feel free to contact me at Strellix for further assistance. http://www.strellix.com


  3. BKT Says:

    How does one recover the deleted contacts? my scenario is exactly as above and all contacts were deleted.


  4. Rémy Says:

    Thank you Chris, I think your tips helped me fix this bug. By the way, how my Gmail account has been hijacked? How could someone crak my password?


  5. Yahoo! Superb Phone Support | The "C" Branch Says:

    […] individual was experiencing the “New shopping new life!” virus I wrote about a few weeks ago. It seems that this issue affects Yahoo a bit more deeply than it does Gmail, and can even wipe out […]


  6. Chris DeMarco Says:

    A hacker-bot is what compromised your password, I suspect by using a dictionary attack method. What this means is that a remote server that someone set up specifically to hack Gmail accounts with easy passwords simply went through the dictionary and tried every word until it came up with your password. Was your previous password a dictionary word?


  7. Chris DeMarco Says:

    Several people have asked how to restore deleted contacts as a result of this issue. Please see the following article regarding this issue: http://www.thecbranch.com/2009/03/31/recover-your-contacts-after-new-shopping-new-life/


  8. EMAH Says:

    My password was 9 characters, included numbers, both cases and symbols and the bot still broke it! Guess I’ll get working on my new 30-character password! :) Thanks for the help!


  9. Robb Boyd Says:

    Chris,

    Good post. This seems to fit my issue exactly. I am just now dealing with it today but I did find my auto-responder (on gmail) was activated. I have updated PW and changed a few other things. I am finding any other issues (on my Mac) so hopefully this is it. Love your bio my brother.

    In HIS name,

    Robb


  10. No Name Says:

    I’ve found this case too, i already changed my password and scan my computer.

    Thanks for your advice.

    😉


  11. Juanita Says:

    I have been hit three times, all in Yahoo! mail, though my password is not a word. First time they did not delete names. Second time they did and they were in the trash. Third time they got it right and the had completely vanished. Fortunately after the second time I exported my addresses to my gmail account (which has not been hacked) and was able to import them back again. I will try with a new password, and hope for the best!


  12. Momina Says:

    hello. thanks for the advice. one thing i’d like to know, are the accounts of the people who receive this email compromised as well?


Leave a Reply