From: repairermessages@fmg.co.ukAttached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least two different versions, neither of which are detected by AV vendors [1] [2]. These documents contain two slightly different malicious macros [1] [2] which attempt to download a further component from:
Date: 19 January 2015 at 07:24
Subject: Insurance Inspection Arranged AIG02377973
FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.
Have you been impressed by one of our people?
If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@fmg.co.uk
FMG Support Group Ltd. Registered in England. No. 06489429.
Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.
Tel: 0844 243 8888
Email: info@fmg.co.uk
This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you received this email by mistake, please advise the sender by using the reply facility in your email software.
Outbound Message checked by Websense Mail Control.
http://chilan.ca/js/bin.exe
http://techno-kar.ru/js/bin.exe
This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57. The Malwr report shows it attempting to communicate with the following IPs:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These two IP addresses have been used by this malware for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53.
4 comments:
Hi Conrad,
Great post - apart from one thing....
...we opened the email!?
What do i need to do? How can i get rid of it? Im doing a scan with AVG as we speak but I didnt want to log into my bank to change the password just incase they got the new passwords?!
@HMWS: the macro will infect you only if you allow macros to run in Word. The indicator of infection is a file %TEMP%\324234234.exe (%TEMP% is the location of your temporary files folder, e.g. C:\Users\Yourname\AppData\Local\Temp).
If you think you are infected and you are not an expert, then it is best left to your anti-virus software to clean up, but they won't have updated their products yet. The best think to do is wait at least 24 hours before attempting an automatic cleanup.
Thanks Conrad
Nothing showing there similar apart from:
6F11B312-ED58-46A7-A6F3-A5B920F8BA37 (19/01/2015)
8b9B2 (19/01/2015)
div6547.tmp (19/01/2015)
TCD807B.tmp (19/01/2015)
Do they ring any alarm bells?
Its Word 2013 so i dont know about the open or run macros settings?
@HWS: looks like you should be clean, Word 2013 has macros disabled by default for that sort of document. Check with the F-Secure online scanner to be sure.
Post a Comment