If you open the zip file to see the “invoice,” you’ll see what looks like a a PDF file:

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

Another clue:  the subject line refers to USPS but the body refers to FedEx.

This virus bypassed the VIPRE anti-virus on my computer. www.virustotal.com shows that only 2 of 43 engines currently recognize it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment! In fact, I’d say just don’t open attachments from anyone unless you personally know the sender (e.g. a friend or colleague) and you are expecting them to send you a file. Big companies are not just not sending email with attachments.

I immediately called US Bank’s fraud department and closed the card. They told me that the transactions were “card present” transactions, meaning someone had created a fake card with my card number.

Slow, Uninformative Alerts

The only reason I discovered this fraud was that I had an alert configured on my checking account to email me on debits over $50. However, I didn’t receive the alert about the first transaction until the following morning, and the alert didn’t tell me who had made the charge. I had to log on to online banking to confirm it was fraudulent; that’s when I saw that two additional transactions were pending.

If I had received an alert within a few minutes of the first transaction (as I do when I use my Capital One and Chase credit cards), I could have shut down the card immediately and avoided the additional transactions. US Bank has the data:  you can see the pending transactions if you log on to online banking. So why not send out alerts immediately?

Over the next few days, I asked four or five representatives why US Bank does not send alerts promptly. I received various answers, e.g. alerts are batched and only sent three times a day, you can log in to online banking to see if there are pending transactions, a check card is different from a credit card because transactions are authorized before they are charged, they are looking into faster alerting systems, and they can’t tell me to rely on alerts because then they would be liable if an alert didn’t go out in a timely fashion.

Fast Alerts – The Big Secret

What no one told me is that US Bank does offer near-instant alerts if you know how to configure them.

It’s simple, really:  in addition to the (slow) checking account alerts, in online banking, add alerts to your Check Card:

You’ll have several categories to choose from. I’ve now configured them all:

I set up my Transaction Dollar Amount alert to email me on any transaction over $1. Yes I get a few extra emails that way; big deal, I just delete them. At least I’ll know if someone besides me starts charging even small stuff on my card:

That’s it! Once configured, when you make a purchase (whether using the check card as a debit card with PIN or as a VISA card), within a few minutes, you should see an email like this listing both the vendor and the amount:

My hunch is that these Check Card alerts are tied directly to the VISA transaction clearing system, so just as with other credit cards, they are sent almost instantly.

Of course, it’s possible that the alerts may sometimes be slow or even fail, but at least this gives you a fighting chance to find out quickly if your Check Card is ever compromised.

Update January 26, 2011

In the last week or two, there have been a few cases where the Check Card alerts were not processed as promptly as they used to be. For example, a charge I made at 9pm didn’t email until 10:30am the next day. Still, it makes sense to define all possible alerts so you have the best chance of being notified when someone besides you is using your card.

If you open the zip file, you’ll see what looks like a Word document:

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!

Update January 16 and 19, 2012:  Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:

• December 16, 2011 – Susan Green
• December 16, 2011 – Michael
• January 6, 2012 – Teresa
• January 16, 2012 – Shea
• January 19, 2012 – Bob
• January 19, 2012 – Mark

Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.

You install a small piece of software on your laptop or phone. If you lose the device, log in to the Prey web site and change the device’s status to Missing. The software will capture a screen shot, webcam shot, geographical location (using GPS or WiFi triangulation), and a bunch of system and network info. You can even sound a loud siren through the speakers if you think the device is nearby. I tested it on a laptop and it geo-located it within one house!

Up to three devices are free; Pro plans are available. Works with Windows, Mac, and Android.

I read about Prey in the article 4 simple steps to bulletproof laptop security. Besides, theft and loss recovery, the article also describes strong passwords, fingerprint readers, and full-disk encryption, all of which I’m already using.

Contact MCB Systems if you’d like to beef up laptop security in your environment.

Clue #1:  Random Redirects

Every so often while browsing the site, I wind up on another site. The site I was referred to was designed to look like a legitimate web page, but it’s actually a search page. For example, this site below might at first glance appear to be ancestry.com, but it’s spelled an-test-ry, and the URL at the top actually comes from searchmagna.com:

At one point, even though the main dmachoice.org site was displayed, I got a pop-up asking if I really wanted to leave a Home Income Profits site:

This led to other popups, which I know can lead to virus downloads, so I went to Task Manager and killed firefox.exe.

Clue #2:  Loading Data from Third-Party Sites

I started watching where dmachoice.org was pulling data from as the page loaded. Here you see a live capture of the Firefox status area site as it accesses sites like js.users.51.la, www.searchnut.com, 205.209.161.4, etc.:

Sometimes I saw references to sites for legitimate businesses (like thrifty.com and 1800flowers.com) that have no business on the dmachoice.org site.

Clue #3:  Check Sources of Media on Page

Firefox has a very useful feature that lets you review all the sources of media on a page. Right-click on the page and select View Page Info. You’ll see a dialog like this:

Scrolling down the list of media, after several legitimate images from the dmachoice.org site, there are lots of additional images from sites like ajiang.net, 51.la, and searchnut.com. With help from Whois lookups at www.iptools.com, we can see that the first two are registered in China and the last in Grand Cayman. Note the “Associated Text” from icon.ajiang.net is an Asian script, and references 51.la, the next site loaded.

SSL is Not Enough

It’s worth noting that although the main dmachoice.org site is SSL-encrypted (begins with https://), it still pulls data from non-secure sites.

To its credit, Internet Explorer 8 asks before loading unencrypted data and gives you the option to suppress it:

If you accept the default answer (“Yes”), IE does not load data from the third-party sites. (If those sites were also https:// sites, it might still load them.)

Firefox also warns about mixed content by default, but it only warns once, and it does not give the option of suppressing the non-secure content. If you accept the defaults of this warning, you’ll immediately start downloading the extra content, and you’ll never see the warning again:

In Firefox 4, the only way to re-enable the warning is through an advanced about:config process (see Firefox question 826495). Here is what it looks like after clicking OK on the warning:

Why the Hack?

So why has the site been hacked? What are the hackers gaining from it? My guess is that they are paid for referrals. By hijacking a busy site and forcing users to jump to other sites (or maybe just by referencing the other sites), they get advertising revenue.

Of course if they have full access to the site, they could also be harvesting user names and passwords as users log in, or potentially download the entire DMA database. Since the DMA is the main association used by consumers to set postal mail preferences, their database is no doubt quite large. The hackers could also set up the site to download viruses to user computers in addition to referring visitors to other sites.

I contacted the DMA by email and phone before writing this article but have so far not heard a response.

The ruling held that the bank was not responsible for detecting the fraud because the bank had the legally-required password policy in place. (See this article for details.)

Whether or not that ruling stands, it does highlight the additional risk of using online banking as a business. I certainly like the convenience of online banking and Bill Pay, both as one who sends and one who receives funds. However if you haven’t already, you may want to clarify/update your online banking policies. Here are some questions that come to mind:

1. What kind of liability does your bank assume in online banking transactions? According to this article, “businesses do not have the same legal protections against online banking fraud that consumers enjoy.”
2. Who at your company has access to online banking? What can they do? What computer are they using when they do it? Computers on an MCB Proactive Care plan all have a current anti-virus program installed, but no anti-virus program is foolproof—there is no guarantee that a computer will never be infected.
3. Do you have a separate account for use with online banking? One suggestion is to limit exposure by only keeping the minimum funds required in a separate account used for Bill Pay. Obviously that account should not have automatic overdraft links to the primary account or to a line of credit.
4. Have you set up alerts to get an email for any transaction over a certain amount? That’s not perfect protection (hackers with access to the account could turn off alerts), but it’s one more way to try to monitor activity so you can notify the bank immediately of suspicious activity.
5. When you log on to online banking, do not allow the browser to store your password. Type the password each time.
6. If all of that still seems too risky, you could always go back to plain old checks! If you do that but retain online banking (for reviewing statements etc.), make sure no one can turn on Bill Pay with just a few mouse clicks.

As with so much in our modern world, additional convenience carries additional risk. In this case, the risk is greater than one might think at first.

I was inspired to suggest a paragraph for the section on interruptions (below). I emailed it to the book’s feedback address. A short while later I got a thank-you from Jason Fried, co-author and co-founder of 37signals. Wow, that’s pretty lean when the co-founder is still reading random email feedback. Plus it’s a simple example of acting like a human, letting people know you hear them. These guys might be for real.

Filter

Everyone is inundated daily with information. Emails, flyers, magazines, phone calls. Delete, delete, delete. 95% of the stuff you get won’t help your business. Set up a spam filter. Unsubscribe from email lists (you can always visit a web site if you need info). Save a tree: call catalog companies and ask to be removed. Ask business telemarketers to remove your name. Keep the recycle bin next to the mailbox and dump stuff before it ever gets to your desk. Have a favorite trade magazine? Scan the table of contents. If something looks interesting, hold on to it for a few days. If it’s still interesting, read it, else toss it (pack rats, file it so you can toss it later). You may wind up with a desk so clean that you have to do some real work.

This July 2010 article from the The Guardian (UK) goes into detail about the history and purpose of the scam. The article discusses callers claiming to be from Microsoft, controlling your PC, and demanding immediate payment. But that could easily morph:

• Callers might claim to be from Microsoft or another tech company (real or fake), or may not say a company name at all.
• Callers will invariably request that you connect to a web site from your computer. They may give you a code to enter. This can instantly give them access to the entire machine. Or they may just advise you to download and install a program, which is actually a virus or spyware.
• Callers may or may not ask for payment.

Microsoft has a whole page on scams that use its company name. Regarding this scam, they say, “If you receive an unsolicited call from someone claiming to be from Microsoft Tech Support, hang up. We do not make these kinds of calls.”

Note that remote control is a legitimate tech support method, but you should only grant that to someone you know (like MCB Systems) or a technician whom you have called. If you see someone typing or moving the mouse and you didn’t authorize it, unplug the network cable or just turn off your computer until it can be scanned for malware.

%appdata%\Microsoft\Signatures

That %appdata% code will expand to the correct name for XP, Vista, or Windows 7.

Another way to get to that folder from Outlook is to go to Options > Mail Format Ctrl-click on the Signature button. That’s explained in more detail here.

This even works copying signatures from Outlook 2007 to 2010.

Here’s how to turn that off.

Update April 19, 2011 A colleague tells me that after  following this procedure, he could no longer Print Preview invoices, possibly because some data was positioned off the template. Reversing the procedure brought back the preview capability. Make a backup of your .QBW file and maybe export your templates before proceeding.

1. From the menu, select  Edit > Preferences. Click on the Company Preferences tab and then on the Payments link in the left column. Under Invoice Payments, uncheck Show payment link at least on paper invoices:

2. That keeps the link from printing, but the empty box will still appear on your invoices. So you have to open each invoice template and remove it:

a. From the menu, select Lists > Templates and highlight one template at a time. Click on the Templates button and select Edit Template from the drop-down. (You may want to Export the template first.)

b. At the bottom of the Basic Customization dialog, click on the Additional Customization button. You will see the list of fields on your template.

c. Click on the Footer tab, look at the bottom, and uncheck Intuit Payment Network:

After unchecking Intuit Payment Network, the extra box at the bottom of your invoice should be gone:

It seems that when the invoice is actually printed, the extra space at the bottom is also compressed so that the invoice once again looks like it should.

You can consolidate mail from multiple accounts into one primary account with a few Outlook rules. Note that these are client-side rules; they only run when Outlook is running. (If you use Outlook on a mobile phone, these rules will not be in effect.)

Consolidate Inbox

Set up all of your accounts as Exchange accounts in Outlook 2010. Let’s assume you have accounts for User1, User2, and User3. User1 is to be the primary account.

1. Go to Rules > Manage Rules and Alerts.
2. Select the User2 folder.
3. Select New Rule > Start from a blank rule > Apply rule on messages I receive. On the Select actions page, check move it to the specified folder. Click on the word specified in the lower pane and choose the Inbox for User1 (not the default User2).
4. On the Finish rule setup page, name the rule something like “Move incoming messages to User1 Inbox”. Click Finish to exit the wizard.
5. Repeat these steps for User3.

Now all mail that User2 and User3 receive will be moved to the User1 Inbox.

Consolidate Sent Items

What about mail that you send? This should also be consolidated in the User1 Sent Items folder.

Outlook’s Sent Items rule options do not allow moving a message, only copying, so we have to work around that. (Thanks to this article for the confirmation and tips.)

1. Turn off the default behavior to save Sent Items. Go to File > Options > Mail > Save messages. Uncheck Save copies of messages in the Sent Items folder. Note that this applies to all accounts.
   
2. Go to Rules > Manage Rules and Alerts.
3. Select the User1 folder (not User2 as we did for Inbox).
4. Select New Rule > Start from a blank rule > Apply rule on messages I send. On the Select actions page, check move a copy to the specified folder. Click on the word specified in the lower pane and choose the Sent Items folder for User1.
5. On the Finish rule setup page, name the rule something like “Copy sent messages to User1 Sent Items”. Important: check the box Create this rule on all accounts. Click Finish to exit the wizard.

The rule is added for all three accounts. Mail that you send will be copied to User1’s Sent Items folder. Step 1 is required to turn off the default behavior of saving Sent Items in the local user’s Sent Items folder.

One oddity is that Sent Items will appear as Unread (bold type); I don’t think you can change that.

Now that you’ve moved all incoming and outgoing mail to the User1 account, any other folder operations (deleting items, moving to custom folders, etc.) will all happen on the User1 account.

Step 1:  Disable Calendar Assistant

1. Use Outlook Web Access to log on to your mailbox.

2. Click Options.

3. In the Calendar options, section “Automatic Calendar Processing”, please uncheck the setting “Automatically place new meeting requests on my calendar, marked tentative”.

4. Click Save.

Step 2:  Disable Outlook Sniffer

1. In Outlook 2007, go to Tools > Options > Preferences Tab > Email Options..> Tracking Options

2. Uncheck the following two options in the Tracking Options window.

• Process requests and responses on arrival.
• Process receipts on arrival.

Or maybe you have data that so far is only accessible to I.T. staff, and you need to open it up to end users via a simple, web-enabled interface?

MCB Systems recently had the opportunity to work on just such a project.

The Project

A small client has been using a great free email client called MailEnable for a number of years. This client uses lots of email groups, and the members of the groups change frequently.

MailEnable Standard can only be administered by logging on to the server and running the administration program—not something you want end users doing. That means that every time a new email alias was needed, or a user needed to be added or removed from a group, the client had to contact the I.T. provider to handle the change.

The Goal

The goal was simple:  empower end users to view and update email aliases and groups themselves. This gives them more direct “ownership” of their data with no waiting on I.T. turnaround, and frees up the I.T. provider from handling repetitive administrative tasks.

The Methodology

MCB Systems decided to tackle this project with an innovative methodology that simulates a “local” user interface across the web by using the Visual WebGui framework. In this approach, the software only runs on the server. An end user opens a secure web site in a browser and is able to view and edit the data using a familiar, Outlook-like user interface. A few screenshots of the end result illustrate the “look and feel” of the web-based program:

For a more detailed look at the technology, view the 3-minute demonstration video.

Benefits

What are the benefits of making a custom program available via the web?

• Users can work with the same interface in the office or from home.
• There is only one copy of the data, on the server. No more confusion about who has the latest version.
• Data stored on the server is more secure and falls under the server’s disaster recovery plan.
• Depending on the application, you can host the software on your own server or “in the cloud’” on a hosted server.

And with technology like Visual WebGui, end users are able to work in a familiar interface with minimal re-training required.

Whether you have an existing application that you want to put on the web, or you have data that has so far been inaccessible to end users, MCB Systems is ready to help you design and implement the web-enabled software you need. Contact us today.

Here is an example of a bogus anti-virus web page:

How to Tell

It’s confusing because what the virus authors have done is to create a web page that looks like a Windows XP Control Panel display, with the blue background on the left, folders on the right, and so on. But this page is not from Windows! It’s just a web page, and it wants to hurt your computer. How to tell?

Internet Explorer Warning

If you look at the header, you can see that just landing on this page has caused it to try to start downloading a file. Fortunately, Internet Explorer 8 is giving you a warning before starting the download:

Warning:  What is not obvious is that clicking anywhere on the page will probably start to download a virus. The whole page it a giant button. Don’t click on the page!

Does This Make Sense?

When you land on a page like this, ask yourself some questions before continuing:

1. Does this look like a legitimate warning from the anti-virus program that I’m using? If you’re using Trend, VIPRE, Norton, etc., the name of that program should appear in any warnings from that program.  (Careful:  even if the name does appear, it could still be fake.)

2. Does this look like a legitimate warning from my operating system? In this case, the user was running Windows 7 when this Windows XP-like screen came up. (Even Windows XP would never display anything exactly like this.) In fact, just the fact that they have tried to simulate a Windows page inside a browser window is a big red flag:  legitimate warnings from the operating system will never appear inside a browser.

3. Did I intentionally navigate to this web address? If you’re looking for pictures on Google Images, and you wind up on a “safeonly-scanner” web site in India (.in), you’re probably not where you meant to be. You can look up the last part of a web address at Wikipedia’s list of top-level domains to see which country you’re visiting.

What to Do

The safest thing to do at this point would be to log off of Windows or just shut down your computer. (The truly paranoid will just unplug the power.) If you have open documents (Word, Outlook, etc.), you can carefully save and close them, but do not try to close Internet Explorer.

Why not? If you close Internet Explorer by clicking on the red X in the upper right corner of the browser window, you may see a screen like this:

The problem is that most likely, this popup window is also from the fake anti-virus page. So if you click on it (whether you click on OK or Cancel), you’ll start the virus download. It’s best to just get out of Windows without touching Internet Explorer.

Finally, after you log back on to the computer, run a full anti-virus scan just to make sure the computer didn’t get infected. Since no anti-virus program catches all viruses, consider running a program in addition to the one you have installed on your computer. MalwareBytes and Sunbelt Software’s VIPRE Rescue are good, free choices.

Also like insurance, there are lots of factors to consider and lots of potential solutions.

So why do you need backup, exactly? And what kind of backup do you need?

The Risks

If your business relies on the data on your computers, your business is at risk if you do not have backups. Consider these questions:

• If we lost all the data on any given computer (common when a hard drive fails), how much would it cost me to recreate it?
• If every computer and hard drive in our building was stolen or destroyed by fire, would my business survive?
• What do I do if an earthquake prevents us from getting to the office for a period of weeks or months?
• If the primary server crashes, how long can my business afford to be down?
• If we get a virus, how do we quickly recover to an uninfected state?

The Options

Good backups can go a long way towards reducing your exposure to these risks. Choosing a backup plan is a balancing act between the amount of risk you can afford and the cost of the backup solution. Here are a few options:

• Back up on site to an external hard drive. This is the “bare minimum” protection and does not help if the backup drive is stolen or destroyed.
• Back up on site, but rotate hard drives off site. Still a very inexpensive option, provides basic disaster recovery coverage, but requires consistent manual maintenance.
• Back up over the Internet. Depending on the provider, this option provides good disaster recovery, though it still takes time to retrieve the data and re-create the original environment.
• Keep a spare computer on site. In combination with one of the above plans, this can get you back in business more quickly if the issue is computer failure.
• Use hosted servers. A fairly new option, some business are getting rid of local data storage altogether. Others keep their local server but contract to have a hosted server on standby. This can provide almost immediate disaster recovery, even if you have no physical access to your office.

Often the best plan for a given business will be a combination of two or three of the above options, taking into account the value and sensitivity of the data and the amount of time the business can afford to be without that data.

MCB Systems can guide you through the myriad options and design a backup plan that fits your needs and budget. Contact MCB Systems for a consultation.

How Did They Hack Me?

If email is coming from your account, most likely a hacker has gained access to your password. But how? They probably used one of two methods:

• They used a program to keep entering passwords until it got the right one. This is especially easy if your password appears in the dictionary as opposed to being a random string of characters.
• A virus on your system, or on a system where you accessed your account (e.g. in a coffee shop), was capturing keystrokes and trapped your password.

Of the two, the second carries the higher risk, since the same approach could also be used to gain access to your online shopping accounts, bank accounts, etc.

What to Do?

So you’ve been hacked. What should you do?

Create a Strong Password

If you’ve been hacked, the first thing is to change your password. Do it now, before Yahoo / Hotmail / Facebook disables your account for sending spam.

This Microsoft article explains how to create a strong password. They recommend fourteen characters. I’d say use at least eight characters. (You might want to beef that up for financial sites.) Be sure to include a mixture of uppercase and lowercase letters, numbers, and special characters. If you use a sentence, it’s actually pretty easy to remember.

Examples

“Wow, we had super-hot weather on September 27!” becomes W,whs-hwoS27!

“I’m looking forward 2 my vacation! We’re going to Belgium” becomes Ilf2mv!WgtB

Update September 22, 2011:  This Windows Live Solution Center article provides step-by-step instructions about changing or resetting your Live ID password (which is used by Hotmail and MSN, among others):

Account Compromise – Unauthorized Account Access

Check for Viruses

You should have an up-to-date antivirus program running on your computer at all times. For Windows, Microsoft Security Essentials is a good, free program for home use.

But new viruses can get past even the best antivirus programs. If you’ve been hacked, it’s important to scan your computer with a couple other up-to-date scanners to see if they find issues that your primary program missed. Here are two good, free scanners for Windows:

• Malwarebytes www.malwarebytes.org (click Download Free Version)
• Sunbelt VIPRE Rescue live.sunbeltsoftware.com

If you do find a true virus (not just cookies), you should seriously consider changing the passwords on all your online accounts, especially banking and credit card sites, and shopping sites that have your credit card info.

Sometimes eliminating a virus is extremely difficult and time-consuming. That’s one reason MCB Systems recommends full backups of all machines—you can restore your system to a point before it was infected. Without the backup, you may have to reinstall Windows from scratch.

MCB Systems’ site, created in-house using WordPress, rates 95 as of this writing.

How does your web site rate?

But what if you’re using another contact manager? I’m using GoldMine 6.5 as my primary CRM. 3CX can’t handle GoldMine natively, so I wrote a little program called MCB GoldPop to do it, and I decided to give it away. You can download MCB GoldPop below.

Installation

Download MCB_GoldPop.1.0.0.zip below. Unzip GoldPop.exe and place it somewhere on your local drive, e.g. under C:\Program Files\MCB GoldPop. Note that there is no installation program per se; the program is ready to run as is.

Configure MCB GoldPop

This step isn’t necessary if you want to use the default parameters. In fact, usually you will never see MCB GoldPop—it just runs momentarily in the background whenever you receive a call through 3CX, loading the matching GoldMine record if it is available.

However MCB GoldPop does have a user interface where you can review and test the various options, and it will even create a sample command line so you can use those options when you run GoldPop from the 3CX Assistant. Normally the only options you would change are Raw Caller ID (for testing) and Dialog Parameter.

How it Works

MCB GoldPop uses a method of communication called Dynamic Data Exchange (DDE) to pass the incoming CallerID from 3CX Assistant to GoldMine. When GoldMine received a CallerID from MCB GoldPop, GoldMine moves to the record matching the CallerID. Note that GoldMine’s “CallerID” function only searches the Phone1 field in GoldMine 6.5, so if the caller’s number is not in that field, the GoldMine record won’t be found. You can adjust how GoldMine handles the CallerID with the Dialog Parameter—see the MCB GoldPop user interface for more information.

Configure 3CX Assistant

To use GoldPop with 3CX Assistant:

1. In 3CX Assistant, select File > Preferences.
2. On the Options tab:
   - Check Notify external program on incoming call. 
   - In the External program path to executable field, enter the path to GoldPop.exe, e.g. C:\Program Files\MCB GoldPop\GoldPop.exe.  
   - In the Parameters field, leave the default %callid% parameter.
   - I chose to uncheck Enable CRM Integration so I would not additionally get the Outlook popup.

Get it Here

MCB GoldPop is free for personal and commercial use. However it is still copyrighted, and unauthorized publishing/distribution, incorporation in other products, and derivative works are prohibited. No warranties.

Download MCB GoldPop

Shameless Plug

This is just a small example of how a relatively simple custom program can add significant efficiency to your workday. Contact MCB Systems to discuss your next technical challenge!

The unusual thing is the attachment of type .rar. RAR is an archive format not as common as .zip in the Windows world.

I had an old copy of the freeware UnRAR on my machine so I had a look at the file contents. Sure enough, it’s a script file (.scr) which, like an .exe file, can make changes to a machine.

Virus Scanning Not Enough

This file was delivered through Postini, which means their virus scanner didn’t catch it. In fact, as of this writing, VirusTotal shows 23 of 42 antivirus engines identifying the malware. Major engines like AVG, ClamAV, and Sophos are not catching it yet. While infection is less likely since many people won’t have .rar archive utility installed, it still is up to the user to remember:  don’t open attachments from unknown senders. In fact, it’s best to avoid attachments even when you know the sender unless you are specifically expecting an attachment from them.