From: Accounts Finchley [accounts.finchley@nazarethcare.com]The domain nazarethcare.com forwards to the Sisters of Nazereth. None of these organisations is actually sending the spam, their systems have not been compromised in any way. The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox.
Date: 11 November 2014 10:34
Subject: Bank Payments
Good Afternoon,Paying in sheet attachedRegardsSandra WhitmoreCare Home AdministratorNazareth House162 East End RoadEast FinchleyLondonN2 ORUTel:02088831104Fax:02084443691Nazareth Care Charitable Trust- Registered Office – Larmenier Centre, 162 East End Road, London N2 ORURegistered Charity – England & Wales – 1113666, Scotland – SCO42374Registered Company registered in England & Wales – Company Number 05518564The contents of this message are for the attention and use of the named addressee(s) only. It, and any files transmitted with it, may be legally privileged or prohibited from disclosure or unauthorised use. If you are not an intended recipient or addressee, any form of reproduction, dissemination, copying, disclosure, modification, distribution or publication is prohibited and may be unlawful and the sender will accept no liability for any action taken or omitted to be taken in reliance upon this message or its attachments.Whilst all efforts are made to safeguard inbound and outbound e-mails, no guarantee can be given that attachments are virus-free or compatible with your systems, and we do not accept any liability in respect of viruses or computer problems experienced.Any views expressed in this message are those of the individual sender, and do not necessarily represent those of the Sisters of Nazareth.
Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros [1] [2] [pastebin] which then downloads a file from one of the following locations:
http://www.grafichepilia.it/js/bin.exe
http://dhanophan.co.th/js/bin.exe
This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53. The Malwr report shows it phoning home to:
http://84.40.9.34/kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/
It also drops a DLL identified by VirusTotal as Dridex.
10 comments:
How do I get rid of it. Itso happens I was awaiting payment from a company in the same area so didn't spot the fake.
Tony
@captaintee: you might not be infected if you had macros disabled. The first thing to do is determine if you *are* infected, and it will take virus scanners a day or so to catch up.
A quick check is to go into your TEMP folder e.g. C:\Users\Your_name\AppData\Local\Temp on Windows 7/8 and look for any EXE files with random names with a datestamp of today.
Removing that won't fix the malware, but if you can't see it then you are probably not infected.
will it affect an android phone?
Just had one emailed to me at 19:35. Very convincing, these things are getting harder to spot.
@C Ford: no, this will only impact Windows computers running Microsoft Word in an insecure configuration (i.e. with macros enabled). I have seen other malware that will ONLY infect Android phones and not Windows PCs, so caution is still advised.
just got one and like an idiot I opened the word doc.
any advice on how to find my TEMP folder?
thx
I had one of these today too, but because I wasn't expecting it I googled the sender first and had my suspicions confirmed. Thanks.
Thank you for your post. I received 2 emails and didn't open the attachments and then Googled for spam to find out if it were a hoax.
Thanks a lot.
Thanks so much. Your blog came up right away when I Googled so I didn't open the attachment.
Post a Comment