Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


2280 posts

Uber Geek
+1 received by user: 648


Topic # 159922 17-Dec-2014 12:38
Send private message

We have been hit my a bunch of emails with a zipped SCR attachment. Antivirus is not detecting them.

Subject is either "Payment invoice has been pai" or "The payment has been mad".

Attachment is "invoiceXXXXXX_pdf.zip" where the Xs are random numbers.

Anyone else getting these?






 Home:                                                           Work:
Home Work


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
4 posts

Wannabe Geek


  Reply # 1199043 17-Dec-2014 12:47
Send private message

Yes we are too. Our accounts payable have recieved 5 this morning.

 

Subject: The payment has been mad

 

 

 

We have sent you a Transfer for amount 12,297.00. Please view attachment for details.

 

</html



gjm

746 posts

Ultimate Geek
+1 received by user: 91


  Reply # 1199046 17-Dec-2014 12:51
Send private message

Have seen lots of these types of emails lately. Mostly they seem to be the cryptolocker virus or a variant of. It was enough to make me block .zip files at the gateway. 




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]



2280 posts

Uber Geek
+1 received by user: 648


  Reply # 1199050 17-Dec-2014 12:53
Send private message

What antivirus do you use, and is it detecting it?

Can't find much about it, but it seems to infect the PC if the attachment is run and then sends itself out via Outlook (not sure about other mail clients). And it looks like currently most AV scanners miss it.

14066 posts

Uber Geek
+1 received by user: 2514

Trusted
Subscriber

  Reply # 1199054 17-Dec-2014 12:55
Send private message

I got it to my small business email. The way I figure it if money arrives in my account I wasn't expecting then I'll open the email telling me what it is.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




2280 posts

Uber Geek
+1 received by user: 648


  Reply # 1199055 17-Dec-2014 12:56
Send private message

gjm: Have seen lots of these types of emails lately. Mostly they seem to be the cryptolocker virus or a variant of. It was enough to make me block .zip files at the gateway. 


I've blocked anything with _pdf.zip in the attachment name, but maybe I should change it to all zip files. We have two different virus engines scanning them, one at the Gateway and one in Exchange and neithe ris picking them up.

309 posts

Ultimate Geek
+1 received by user: 14

Subscriber

  Reply # 1199058 17-Dec-2014 12:57
Send private message

We have seen some of these today, also. 

2 posts

Wannabe Geek


  Reply # 1199099 17-Dec-2014 13:31
Send private message

Our Symantec Brightmail Appliance is picking them up but I don't think SEP is on the desktops:

This attachment contained a virus and was stripped.
 Filename: invoice942817_pdf.zip
 Content-Type: application/x-zip-compressed
 Virus(es): Mal/DrodZp-A

896 posts

Ultimate Geek
+1 received by user: 586

Trusted

  Reply # 1199107 17-Dec-2014 13:42
Send private message

Yep, Happening with us. The latest SEP desktop definition isn't picking them up yet but luckily Symantec Message Labs is blocking them now. 

1 post

Wannabe Geek


  Reply # 1199135 17-Dec-2014 13:54
Send private message

Hi, we got hit with this across several PCs with users opening the attachment and it initiating sending of itself to as many contacts as it could.  It looked like it was partly stopped trying to write protected OS files, fortunately no one with elevated user rights was silly enough to open the attachment :-)  

Our ESET antivirus is updated hourly and this particular threat wasn't in the database - an update to ESET was issued at about 12:30 with this included and it is now being detected.
It's rare for this to happen like this, my guess is that there will be many many organisations being hit by this.

Zakk



2280 posts

Uber Geek
+1 received by user: 648


  Reply # 1199147 17-Dec-2014 14:03
Send private message

Zakk2000: Hi, we got hit with this across several PCs with users opening the attachment and it initiating sending of itself to as many contacts as it could.  It looked like it was partly stopped trying to write protected OS files, fortunately no one with elevated user rights was silly enough to open the attachment :-)  

Our ESET antivirus is updated hourly and this particular threat wasn't in the database - an update to ESET was issued at about 12:30 with this included and it is now being detected.
It's rare for this to happen like this, my guess is that there will be many many organisations being hit by this.

Zakk


We've received them from 11 different companies.




 Home:                                                           Work:
Home Work


1709 posts

Uber Geek
+1 received by user: 169

Trusted

  Reply # 1199161 17-Dec-2014 14:19
Send private message

We have received quite a few also; Symantec Cloud on the desktops is blocking it when people try to open the attachment, but annoying it is getting that far!

1498 posts

Uber Geek
+1 received by user: 338


  Reply # 1199175 17-Dec-2014 14:30
Send private message

I have an infected PC here
It sends out mass mailings through exchange : check the exch que, but wont show in the sent items (on this PC)

Nod will detect leftovers in the tmp files and now seems to detect the email attachment
NOD32 still wont detect the infection if PC is infected, its a jibberish exe in C:\windows

Malwarebytes will detect that infected file, but being so new Im uncertain what other files could be infected on the PC.
It seems to POSSIBLY add/infect  a systemservice

If anyone has any links to removal writeups or latest info for this infection I'd appreciate it . I dont want to put the PC back on the network untill Im
sure its clean, may be undected malware on it still
Unfortunately  new malware is often give all too generic names .



2280 posts

Uber Geek
+1 received by user: 648


  Reply # 1199207 17-Dec-2014 14:53
Send private message

1101: I have an infected PC here
It sends out mass mailings through exchange : check the exch que, but wont show in the sent items (on this PC)


I thought it would show up in sent items if it is using the local client to send?? Fortunately we haven't become infected here, but would be nice to let users know that they would show up in sent items for them to check their home computers.

If it doesn't show up in sent items is there an easy way for a home user on POP to check?

2 posts

Wannabe Geek


  Reply # 1199255 17-Dec-2014 15:29
Send private message

https://www.virustotal.com/en/file/09a4a055768bad10dd392a424a2f85b7fc3d0db97e4e5cf8d27941fb2af92dda/analysis/1418782888/

1498 posts

Uber Geek
+1 received by user: 338


  Reply # 1199272 17-Dec-2014 15:57
Send private message

I have more info,from the infected PC's here. forum wont let me post it

"Error: Sorry. Your post does not have the correct open and close tags."



 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.