Important- Read This: I was sent Dangerous Malware in a Message

[eoinfinnegan]

I was sent an excel document yesterday and the sender asked me to quote for translation. This document contained a very new and clever malware which can record passwords and possibly a lot more.
I noticed it as I was looking for something else, otherwise I would not have known.

The document asked me to give it permission to open as “it was created on a newer version of Excel”. I did so, and this allowed it to access my computer.

It has set up a variety of things and so I am working through it now.
This is all I could find about it online.
https://malwr.com/analysis/NDI4YzkwNWM1NzA1NDZiZDllNzQ4YzlkMGJlYjE2M2U/#

Be very careful opening attachments.
I should have noticed that it was acting strangely, but didnt. It wouldn’t open on my phone, the permission was odd - usually old versions of MS software can open new documents etc.

Unfortunately, I am going to have to wait til I am sure its dealt with before sending any more attachments to clients which might cause some problems.
I am reporting to CS now, if you get a similar problem, report it asap.

If you are unsure about a document, do not open it or give it any permissions. Instead, message the buyer and ask them for it in a different format. If they are genuine then they will most likely not mind, if they are not genuine then they will probably not respond.

[eoinfinnegan]

Also, if you are a victim of this kind of thing, do not go and change your passwords. This could give your passwords to them. Instead, use a different computer until the malware is removed.

[zubairfb]

Thanks for helping…

[misscrystal]

Thank you for the warning. What is the extension for this type of document?
Is it .XLS?

[nasio2k3]

Thank you for the info.

[eoinfinnegan]

Yes, it is xls.

[rahulgraphics]

Always scan the attachments as soon as you download them with the best antivirus. I have Kaspersky Total Security. I do scan all attachment. Or Else Add port 80 to your antivirus so that it monitor every file you download from internet. Its alternate is port 8080. I have added both to my antivirus. That way you could ensure that the files you download are safe.

[eoinfinnegan]

Received another file with the same virus, this time in a Word document with the following text in the message. Do not download the file, just report the user.
Hello.
I have a task for you to edit and correct the document!

1. you need to create document template sample
2. adaptation of footnote
3. the Recognition of titles and automatic generation of table of contents based on document styles.
   All you need to do during the day!
   All detailed information can be found in the file!! Thank you for your attention.

[miiila]

Hm, thanks, I got a weird thing popping up in my inbox, not the one you did, a translation and it looks like a halfways legit translation request on first sight, still it´s weird, just inbox message with attached file, not referring to any gig of mine, I sent a screenshot to CS and am waiting for their reply, before I do anything…

While different text than yours, actually the hm, English, would fit.

Now to wait if this will let my response rating drop further down from it´s cemented seeming 86% status.

[benjamin5va]

Are you kidding me? I just saw this in Buyer Requests 10 minutes ago. Anyway thanks for the tip, and goodluck with getting rid of the malware.

[cyaxrex]

This is why main work machine is a linux box. Yes, there are viruses for linux but I’ve never had a problem since 2010 when I switched.

In either case, for those who don’t have access to a second PC, it can be a good idea to always keep a live bootable linux distro in a drawer for when things like this happen. This way you can keep working, as usual, using one machine.

Sorry though for your problem Eoin. Twice in one month is a real kick in the nuts.

[eoinfinnegan]

Nah, it didnt catch me this time. It needs permission to open so it says “the document is in a newer version of Word, do you wish to continue”. Wasn’t stupid enough to do it twice 🙂

[Anna]

I had that happening to me as well with an Excel file. If it wouldn’t have been for your original post Eoin I would have probably clicked on yes.
These scammers are getting very smart. SCARY! Thank you Eoin 😉

[djgodknows]

http://i66.tinypic.com/kegm5v.jpg

You should always right on a file to click on the “Details” tab to verify the information.

My CASE:
I received a WORD file.
I downloaded the file and first opened it via notepad++, cryptic but no catch.
Then opened on WORD, but it was asking for permission to “Enable Editing”. DID NOT ALLOW.

I have a Microsoft Surface 2 running on an ARM processor. So I was really curious to see what it is exactly.
As I know any current malware will not run on Win RT 8.1, I clicked on “Enable Editing” BAM: pop up from WORD.

Prognosis:
It is trying to run a VBA file and Active X Controls.
The entire wording you see that “this is created on a old word document” is a SINGLE Image, with hidden scripting to infect your computer via your browser using Active X Controls.

RECOMMENDATION TO ANYONE WHO ALREADY <em>DOWNLOADED</em> THE FILE:

1. DO NOT OPEN!!
2. DO NOT Delete and Send to your recycle bin.
You need to DELETE and WIPE this file.
Sending items to recycle bin DOES NOT permanently remove it from your hard drive.

Options:
If you use CCleaner, from Piriform, they have another program called “Recuva” this program will allow you to use MILITARY GRADE wiping to ensure the file is savagely REMOVED from your computer

Alternatively:
1. CUT the file and PASTE it onto a FLASH drive.
This way the actual data bits are completely transferred.
2. FORMAT the FLASH drive on another system which is not your PRIMARY. Like a tablet or another PC/laptop or something.

Download:

• MALWAREBYTES and run a FULL scan.

---

OTHERS:
If you already OPENED it, unfortunately, I cannot provide you with a solution.
If you are paranoid like me, formatting and reinstalling the entire OS and then going and changing all your username and password from another PC/Laptop/Tablet/Phone, would be the ULTIMATE Solution.

This is a brand new sophisticated malware, so information on it is not readily available.
If your ANTIVIRUS is NOT updated, it might NOT EVEN DETECT the malware.

Good Luck!

[miiila]

My Word told me it had put that file in quarantine or something like that already, without me doing anything, not bad. I let my laptop be thoroughly checked though to be on the safer side. Using CC cleaner since a few years, I love it.

[djgodknows]

This instruction is for your case only.
Empty recycle bin.
Open CC Cleaner.
GO to "Tools"
Go to "Drive Wiper"
Make sure of the following settings -
Wipe: Free Space Only
Security: Simple Overwrite (1Pass) (Start with 1 pass, once this is complete, Repeat with “Advance Overwrite” (3 Pass). Then to the 3rd option if possible, because the longer wipes take a HUGE AMOUNT of time to perform.
Drives: C: (Any other drives related to the MAIN HDD)

[miiila]

Thank you.

also: forum bug ‘can´t upvote’ strikes again

[djgodknows]

The forum just went down like 10 mins ago.

[miiila]

And big bad red is back too!