Monday, August 25, 2008

Virus alert: Statement of fees 2008/09

I attended a client who had infected their computer. The email had the subject "Statement of fees 2008/2009" with a zip attachment and the zip attachment initially looked like a Word document, but was actually an executable file. The anti-virus software picked up there had been an infection, but didn't stop the email contents from infecting the computer.

We tested this on another computer with a different anti-virus program and it too didn't pick up the attachment contained malware.

Using the anti-virus software to clean up the computer didn't work and manually removing the effects of the virus didn't remove everything and so the computer will require additional work to recover.

The attached file was submitted to the online virus scanner for review and came back as:

File: Fees_2008-2009.zip
Conclusion: malware container

File: Fees_2008-2009.doc______________.exe
Conclusion: malware

It is very important not to open a zip file which is received unexpectedly and certainly don't run an executable unless you specifically know the source of the file and the file is clean.

A product like OzEfilter will allow you to see the subject and sender of this email before receiving it into your computer. In this case the email address of the sender was obviously meaningless and that would have helped to avoid this infection. Always take care with emails with links or attachments. One lapse of concentration can cost hundreds of dollars in repair time and lost productivity whilst the computer is down.

- Kelvin

10 comments:

  1. Do you have any more info on this virus (url links)? What effects does it have?

    ReplyDelete
  2. Hi,

    The most obvious is the orange and white image which is placed on the Desktop which states "Spyware detected on your computer". It also removes the tabs Desktop and Screen Saver if you check out the Display Properties.

    As to the load it carries or other damage it does, I can't say. My main aim is to alert people to take care when they see emails with zip files attached.

    I hope that helps.

    - Kelvin

    ReplyDelete
  3. The Virus in the attachment is a Trojan Horse and amongst other attacks, it disables the Windows System Restore. Despite my warnings about these kind of emails and attachments, my daughter foolishly unzipped the attachment and clicked on the file - result - HELP! Dad!!
    After trying many remedies, including several Anti Virus and Anti Spyware programs, the only solution was to format the C: drive and re-install XP along with all the updates and re-install all her programs - almost a whole day's work! Luckily, her disk is partitioned and all data files, music and photographs, are on the second partition.
    A salutary lesson..............

    ReplyDelete
  4. I thought I had this one beat but I was left with a blue screen with no icons on the Desktop, no Taskbar, just a blue screen. In case it helps others I found Control+Alt+Delete allowed me to bring up the task manager and from there I could use the browse button of the run command (never even new it was there) to copy the user files I wanted to the network drive. I could also have copied the files to a USB memory stick.

    It is indeed frustrating when people infect their computer by running a program from a zip file, but we are all human and we all make mistakes.

    Thanks for the feedback.

    - Kelvin

    ReplyDelete
  5. I just got this. It turned off my computer and restarted it. I am scared to turn off my computer for the night, as I fear I won't be able to turn it back on again in the morning. I do get the popup with the "X" in a red circle that says:
    YOUR COMPUTER IS INFECTED
    It is recommended to use special antispyware tools to prevent data loss..

    Then it goes on to say that I should "click here" to protect my computer. I have not clicked on it, as I figured it was a virus. I was waiting on a statement, so that is why I opened the darn thing in the first place. My McAfee alerted the Trojan Virus as soon as I clicked on it but it was too late. Does anyone know what this virus does long term to a computer? (I am traveling and will not be home for tne days. Should I leave my laptop on? What should I do to remove this virus?

    ReplyDelete
  6. I would suggest not to do anything a virus suggests doing. It will most likely make things worse. I don't know the load this virus carries but with viruses, I always suggest disconnecting the infected computer from the network.

    I thought I had this virus beat, but in the end it was more time effective to reload the operating system.

    I would suggest taking copies of your data if you haven't already and have the computer fixed as soon as possible. I personally wouldn't be using a computer with an infection.

    The alerts in this blog are really to let my clients and JustLocal users and interested readers know about potential threats. I use OzEfilter, a program I wrote, to avoid these types of emails.

    - Kelvin

    ReplyDelete
  7. I've had about 10 of these, and variants, in the past fortnight.
    I'm bored with them.
    I've never been sent an email virus in 10 years online.
    Thankfully I never opened and executed any attachment as it was obvious to me what they were.
    What's sad is that some people will get infected.

    ReplyDelete
  8. I agree. I think it is particularly sad. Most people fortunately will realise and simply delete the email if they receive it, but there are hundreds, if not thousands who will get tricked.

    - Kelvin

    ReplyDelete
  9. Just received one of these myself, a zip file probably containing a .exe program.

    Probably won't affect a Mac but thought I'd chip in. Sender was Nina Womack from tefhqbuhfb@pyramidprinting.com (but probably not THE Nina Womack).

    ReplyDelete
  10. My wife clicked yesterday (10th/Oct) on such zip file in her email. The Windows XP user interface was taken over with lots of scary messages immediately. Her PC runs Symantec antivirus (was not most recent) and Zone firewall - none of these noticed - that we noticed... Took the drive out and connected to another PC. I run latest Symatec antvirus scan on it - 21 items either deleted or quaranteened. See results below; some detail removed. Have not yet tried put the drive back in - want to run some other tests - so do not know how it woudl work. But we have not lost data. Cheers pater noster


    Risk,Action,Count,Filename,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description,Date
    Trojan Horse,Quarantined,1,A0251695.exe,File
    Hacktool.Rootkit,Cleaned by deletion,1,A0251694.sys,File,
    Trojan.Pandex,Cleaned by deletion,1,A0251693.sys,File,
    Hacktool.Rootkit,Cleaned by deletion,1,A0251692.sys,File
    Packed.Generic.182,Cleaned by deletion,1,A0251691.exe,
    Trojan Horse,Quarantined,1,A0251690.exe,File,
    Trojan Horse,Quarantined,1,A0251689.exe,File,
    Packed.Generic.182,Cleaned by deletion,1,A0251688.exe,Heuristics,
    Joke.Blusod,Quarantined,2,A0251687.scr,Security Risk (On),
    Packed.Generic.182,Cleaned by deletion,1,rld8.tmp,Heuristics,
    Packed.Generic.182,Cleaned by deletion,1,rld2C.tmp,Heuristics,
    Trojan Horse,Quarantined,1,rs32net.exe,File,
    Trojan.Blusod,Cleaned by deletion,10,phclkjj0ec35.bmp,File,
    Hacktool.Rootkit,Cleaned by deletion,1,beep.sys,File,
    Trojan.Pandex,Cleaned by deletion,1,ati4mqxx.sys,File,
    Hacktool.Rootkit,Cleaned by deletion,1,beep.sys,File,
    Packed.Generic.182,Cleaned by deletion,1,rep[1].exe,Heuristics,
    Trojan Horse,Quarantined,1,lspr[2].exe,File,
    Trojan Horse,Quarantined,1,lspr[1].exe,File,
    Packed.Generic.182,Cleaned by deletion,1,rep[1].exe,Heuristics,
    Joke.Blusod,Quarantined,1,blphclkjj0ec35.scr,Security Risk (On)

    ...end...

    ReplyDelete