I have a user on our network that opened a word doc that got emailed to him. we have a watchgaurd firewall. it missed it. We have antivirus running on the firewall. it missed it. We have AVG Business edition on the desktops. It missed it. This was a windows XP pc. running Open Office.
The file was opened and then the user called because he could not see the "Resume" he got emailed. (Ugh).
So we forwarded the email to me. then deleted it from his machine.
I ran a scan on it from AVG to double check. Nothing.
I then used a website to run multiple scans on it. Only 2 of 42 scanners used at this site flagged it as bad.
Arcabit called it HEUR.VBA.Trojan
Fortinet called it WM/Agent!tr
After reading about what it does I have a couple of questions.
1. Would it have run since the user had OpenOffice instead of MS Office? I have a feeling yes but...
2. It sounds like most variants of this try to open a port other than 80 to get to the server they are trying to contact. since most all of our ports are closed should we be ok?
3. Thoughts on how to figure out what port this specific one tried to use?