I work in supporting various users and businesses remotely and have run across quite a virus today. I recieved an E-mail from a client this morning regarding an invoice with a .zip attached and an exe inside it and straight away called the client in question having seen this sort of thing multiple times before.
When I connected I ran a malwarebytes scan which turned up nothing, then I ran AVG which also turned up nothing. However she did show me near 50 replies from people saying they cannot open the document.
I took a copy of the virus she had sent us and uploaded it to https://www.virustotal.com/ which showed that it slid past all Anti-Virus aside from 5, See results:
I went ahead and installed Avast which found nothing on the computer in question before turning to GData which actually found 3 files:
ua.png - Trojan.Updatre.Crypted.2 - C:\Users\User'\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VPA35ZLC
Gyci7Ec9.txt - Trojan.Updatre.Crypted.2 - C:\Users\User'\AppData\Local\Temp
Docs-1416.exe - Trojan.Updatre.Gen.3 - C:\Users\User'\AppData\Local\Rar$EXa0.686
As well as flagging original E-mails in Outlooks .ost file.
in the process of scanning, it also flagged off AVG with:
I quarantined and deleted the first 3 files before allowing AVG to do the same.
I have also since run rkill which appeared to find nothing.
I have checked the sent items in outlook and in the Office 365 web client however there is no trace of any E-mails being sent, only 50 or so reply E-mails. It might also be worth mentioning that this pc is the only device with access to the E-mail address she is using and the password is changed quarterly.
How can I make sure this is completely removed and no longer E-mailing contacts off her Outlook address list? I would be happy to upload a sample to someone capable and willing to take a look.
Edited by roker, 11 June 2015 - 12:37 AM.