1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

email malware

Discussion in 'General Security' started by dvk01, Jan 23, 2015.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Moderator Malware Specialist Thread Starter

    Dec 14, 2002
    First Name:

    We are still seeing a fair number of malicious word docs and Excel XLS spreadsheets with malicious macros being spread by email. The numbers getting through has reduced quite a bit from its peak a few weeks ago due to improvements in spam filters and many email servers updating spam assassin to a newer version that has better detection rates based on amount of mail being sent from the sending IP or server. ( if it is suddenly more than usual it will get flagged and treated as spam )

    However we are seeing a massive increase again in Upatre which is the downloader for the Crypto locker/cryptowall and other nasties. These are using age old tricks and pretending to be pdf files inside a zip. Many of the subjects are banking related or Voicemail or " you have received a fax"
    All of which are age old subjects but always catch a fair number of unwary victims. Please warn your users and be aware that cryptowall is effectively unfixable at this time. The only cure is a good recent back up to restore the encrypted data
  2. Byteman

    Byteman Gone but Never Forgotten

    Jan 24, 2002
    Derek- I have seen one of those recent "crypto" infections in my work ....was not fixable, nor did the recent notice that if you upload a sample file, there could be a decryption possible work for this one>> https://www.decryptcryptolocker.com/ that did not see any cryptolocker

    I found that the infection added a file extension that looked like this: mhqqjhtk (not exactly but very similar)

    and the decrypt tool did not "see" any crypto locker encryption.....

    the desktop screen declared

    CBT-Locker with all the warnings about not bothering with trying to fix anything, and they offered 5 free file decryptions....all the things

    that go along with the locker..... I guess some variants don't really encrypt as much as append files .... if you opened a text file etc it was just gibberish.....

    Hardly and tools would open or run and a
    lot of them would not run in ANY MODE Rkill, malwarebytes, McAfee Stinger, etc would not even open or if they did, would not install and run.,..... not in safe mode either. I did get ComboFix to run.....I am not sure which tool it was, but it was a black text only screen.......and I watched all the appended files being deleted one by one.......a complete batch delete of all the affected .JPEG and other picture AND TEXT FILES ! I tried a lot of tools.... and one of them triggered the batch deletion.

    And after that..... I worked some more, I had already been able to get rid of the CB locker screen and some of it's random executables....... but still a lot of tools would not work at all......

    Booted with a bootcd and got TDSSKiller and ran it to detect rootkit and loaded modules...it hit on Cidox.B and cured it and rebooted....then, everything ran and installed.......

    I booted a Kaspersky Rescue CD brand new updated version..... that ran, and got rid of things ComboFix had quarantined.

    That message it displayed was in fact, correct, and there was no way to save any files with that infection.

    Anyway::: Do you know if the CryptoPrevent utility can keep users from getting infected with this newer type?


    AND> I am seeing even in my personal email boxes.....a large amount of fake UPS notices..... banking items.....offers of Nigerian type riches..... schemes of all kinds lately, just as you say.

    I use Gmail and it catches pretty much all the fake spammy stuff so I am glad they are able to.
  3. flavallee

    flavallee Trusted Advisor

    May 12, 2002
    First Name:
  4. Byteman

    Byteman Gone but Never Forgotten

    Jan 24, 2002
    Yes, I put "CBT-locker" I should have written "CTB" ..... and it definitely did delete pics, documents, etc as soon as some malware removal tools were begun very nasty. Perhaps soon this variant will be able to be decrypted.
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1141739

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice