Am 16.04.2015 um 16:54 schrieb Mike Kellenberger <mike.kellenberger@escapenet.ch>:

Hi all

I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)

The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.

Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...

Has anybody else seen this? Is there a name or details or cure fo it yet?


virustotal will tell you a name, which you can google.

Antivirus is a bit of a placebo and snake oil - but surprisingly, a lot of people still believe in its value for them while the only value it really has is for those who sell signature-updates...

I’m pretty sure you can also block exe’s in zips - AFAIK, google has recently started blocking exes, too.

https://support.google.com/mail/answer/6590?hl=en

Bugs in „popular“ office-productivity software would in practice require to block .doc, .xsl, .ppt etc.
So, it’s not usually done.

I’d be glad that the thing was so noisy. If it was an APT-style attack, you’d only realize it months later (or not at all, until MELANI and SWITCH contact you, or worse: the press).
Or maybe there’s an APT going on in the background and this was only the decoy ;-)