New FedEx Virus Email

Mark Berry January 28, 2012

Back in November, I wrote about an airline ticket virus email. Now it’s FedEx:  today I received this email supposedly from FedEx with a zip file attachment:

If you open the zip file to see the “invoice,” you’ll see what looks like a a PDF file:

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

Another clue:  the subject line refers to USPS but the body refers to FedEx.

This virus bypassed the VIPRE anti-virus on my computer. www.virustotal.com shows that only 2 of 43 engines currently recognize it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment! In fact, I’d say just don’t open attachments from anyone unless you personally know the sender (e.g. a friend or colleague) and you are expecting them to send you a file. Big companies are not just not sending email with attachments.

New Airline Ticket Virus Email

Mark Berry November 3, 2011

Today I received an email supposedly from American Airlines with an Zip file attachment:

If you open the zip file, you’ll see what looks like a Word document:

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!

Update January 16 and 19, 2012:  Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:

• December 16, 2011 – Susan Green
• December 16, 2011 – Michael
• January 6, 2012 – Teresa
• January 16, 2012 – Shea
• January 19, 2012 – Bob
• January 19, 2012 – Mark

Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.

“We Are Going to Sue You” Virus Spam

Mark Berry September 26, 2011

A new spam email warns that you will be sued—for sending spam! Don’t worry about being sued, but do worry about opening the attachment that purports to be a scanned document. It’s actually a known virus. The email contains at least one language error, but it’s one that is easy to miss. More info on the websense blog.

Identifying and Avoiding Fake Anti-Virus Programs

Mark Berry December 21, 2010

One of the biggest threats to your computer comes when you land on a web site containing a fake anti-virus warning. These sites try to trick you into installing a program that is actually a virus. Sometimes these programs will encrypt files on your system, then charge you money to unlock them. But what does a fake anti-virus site look like, and what should you do? Here’s an example.

A RARe Virus Delivery Method

Mark Berry July 27, 2010

Yesterday I received the following email from someone I don’t know:

The unusual thing is the attachment of type .rar. RAR is an archive format not as common as .zip in the Windows world.

I had an old copy of the freeware UnRAR on my machine so I had a look at the file contents. Sure enough, it’s a script file (.scr) which, like an .exe file, can make changes to a machine.

Virus Scanning Not Enough

This file was delivered through Postini, which means their virus scanner didn’t catch it. In fact, as of this writing, VirusTotal shows 23 of 42 antivirus engines identifying the malware. Major engines like AVG, ClamAV, and Sophos are not catching it yet. While infection is less likely since many people won’t have .rar archive utility installed, it still is up to the user to remember:  don’t open attachments from unknown senders. In fact, it’s best to avoid attachments even when you know the sender unless you are specifically expecting an attachment from them.

Tricky PDF Virus Evades Virus Scanners

Mark Berry April 27, 2010

On April 27, multiple users at a San Diego client site received emails purporting to come from the “operator” of the email server. The text of the email was written to try to get the recipient to open the attached PDF file. Opening the PDF file and clicking on a couple of confirmations would install a virus on the recipient’s computer. At first, most virus scanners did not recognize the PDF file or the included virus, so simply running current anti-virus programs would not have stopped this infection.

MCB Systems has taken additional measures on all client computers to remove the ability of PDF files to launch programs, including virus programs.

There are a few “take-aways” here:

• PDF files can contain viruses. Long considered safe, PDF files are increasingly used as “carriers” for viruses.
• When you receive an email that you are not expecting, slow down for a moment and run it through your “is this real?” filter. For example, this one was spoofed to show it coming from operator@clientdomain.org, which is not a real address. It was sent at 3:48AM, an unlikely time for a human to send an email. Often these attempts at social engineering will contain errors in grammar, as this one does.
• Make sure you have current backups in place. Often the only way to get rid of a virus is to wipe everything on the computer and re-install the operating system. Ideally you want to use an image-based backup, which allows quickly restoring the entire computer to a previous point in time. MCB Systems can help you choose the best backup solution for your business.

Thousands of new viruses are created every day, and anti-virus software is always playing catch-up. The best defense is still for users to be aware of the threat and to remain safety-conscious when online!