Ransomware trojan enters via Powershell script contained in Word macros

  • It's translated from a German security researcher web page, so it isn't easy to read but it is important.

    https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FNeue-Infektions-Masche-Erpressungs-Trojaner-missbraucht-Windows-PowerShell-3151892.html&edit-text=&act=url

    In other news from last week, Microsoft is adding an administrator control panel in Office to control document macros. Gee, we've only had Word macros, and infections spread via Word macros, FOR ALL THE TIME OF OFFICE (pretty much). Nice to see Microsoft working so rapidly to fix a problem.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • Thanks for the heads up. This is what I fear hearing about from a call from a family member.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • The jerks who invent this stuff are amazingly resourceful and inventive. I've never personally understood why macros aren't stored in an external document of the same name, slap a .vbs or .macro extension on it. Need to send a spreadsheet amongst the budget department? Fine, but why aren't you using a network share?

    Personally, if I were king, I'd make RTF the corporate standard. Kinda hard to sneak an infected macro there.

    One thing that I've always hated about Exchange is its distrust of Access. You try to email an .MDB and it won't let you. Change the file extension to _MDB and it's fine. It doesn't bother inspecting, it just knee-jerk reaction blocks it.

    I'm quite glad I no longer live near my parents: 3-4 times a year I hear from my Dad that he had to take his computer in to the shop for a rebuild because of an infection. Fortunately he has a contract with them for regular work.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • Wayne West (3/29/2016)


    ...You try to email an .MDB and it won't let you. Change the file extension to _MDB and it's fine. It doesn't bother inspecting, it just knee-jerk reaction blocks it...

    I know. Can get past most files that way or by zipping them up.

    Wayne West (3/29/2016)


    ...I'm quite glad I no longer live near my parents: 3-4 times a year I hear from my Dad that he had to take his computer in to the shop for a rebuild because of an infection. Fortunately he has a contract with them for regular work.

    I would avoid it but my Dad would get totally fleeced.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • This was removed by the editor as SPAM

  • ramsymartin12 wrote:

    CryptoLocker ransomware or similar malware is distributed through spam email campaign. Scammers or attackers send spam emails in your mail box which contain messages along with malicious attachments or links. The attachments can be Microsoft Office documents including word, excel, and others. Once opened, it enables malicious macro commands in this attached MS office document file and start infecting your machine. For more details, visit "unknown link removed" through link.

    BWAAA-HAAAA-HAAAA!!!  I'm sure someone will mark your post as SPAM but I'll ask the question first...So... we're supposed to click on an unknown link to get your protection, eh?

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Oooooo... now that's interesting... I did a quote of an existing post at 1:58PM and the SPAM deletion that had to have occurred AFTER that is marked as having occurred at 6:14AM the same day.  Bit 37 of DBCC TIMEWARP must be in play. 😀

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply