email malware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dvk01

Thread Starter
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
http://myonlinesecurity.co.uk/

We are still seeing a fair number of malicious word docs and Excel XLS spreadsheets with malicious macros being spread by email. The numbers getting through has reduced quite a bit from its peak a few weeks ago due to improvements in spam filters and many email servers updating spam assassin to a newer version that has better detection rates based on amount of mail being sent from the sending IP or server. ( if it is suddenly more than usual it will get flagged and treated as spam )

However we are seeing a massive increase again in Upatre which is the downloader for the Crypto locker/cryptowall and other nasties. These are using age old tricks and pretending to be pdf files inside a zip. Many of the subjects are banking related or Voicemail or " you have received a fax"
All of which are age old subjects but always catch a fair number of unwary victims. Please warn your users and be aware that cryptowall is effectively unfixable at this time. The only cure is a good recent back up to restore the encrypted data
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Derek- I have seen one of those recent "crypto" infections in my work ....was not fixable, nor did the recent notice that if you upload a sample file, there could be a decryption possible work for this one>> https://www.decryptcryptolocker.com/ that did not see any cryptolocker

I found that the infection added a file extension that looked like this: mhqqjhtk (not exactly but very similar)

and the decrypt tool did not "see" any crypto locker encryption.....

the desktop screen declared

CBT-Locker with all the warnings about not bothering with trying to fix anything, and they offered 5 free file decryptions....all the things

that go along with the locker..... I guess some variants don't really encrypt as much as append files .... if you opened a text file etc it was just gibberish.....

Hardly and tools would open or run and a
lot of them would not run in ANY MODE Rkill, malwarebytes, McAfee Stinger, etc would not even open or if they did, would not install and run.,..... not in safe mode either. I did get ComboFix to run.....I am not sure which tool it was, but it was a black text only screen.......and I watched all the appended files being deleted one by one.......a complete batch delete of all the affected .JPEG and other picture AND TEXT FILES ! I tried a lot of tools.... and one of them triggered the batch deletion.

And after that..... I worked some more, I had already been able to get rid of the CB locker screen and some of it's random executables....... but still a lot of tools would not work at all......

Booted with a bootcd and got TDSSKiller and ran it to detect rootkit and loaded modules...it hit on Cidox.B and cured it and rebooted....then, everything ran and installed.......

I booted a Kaspersky Rescue CD brand new updated version..... that ran, and got rid of things ComboFix had quarantined.

That message it displayed was in fact, correct, and there was no way to save any files with that infection.


Anyway::: Do you know if the CryptoPrevent utility can keep users from getting infected with this newer type?

http://www.foolishit.com/vb6-projects/cryptoprevent/

AND> I am seeing even in my personal email boxes.....a large amount of fake UPS notices..... banking items.....offers of Nigerian type riches..... schemes of all kinds lately, just as you say.

I use Gmail and it catches pretty much all the fake spammy stuff so I am glad they are able to.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Yes, I put "CBT-locker" I should have written "CTB" ..... and it definitely did delete pics, documents, etc as soon as some malware removal tools were begun very nasty. Perhaps soon this variant will be able to be decrypted.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top