They finally got me

zappaDPJ · Dec 24, 2014, 16:54:08

For months I've been receiving emails with attachments that supposedly come from Apple, Amazon and just about every other major company I interact with electronically on a regular basis. They have become a real pain because some of them look very legitimate. A couple of weeks ago I very nearly opened an attachment invoice from a small local company I have dealings with but something stopped me. That one really raised my paranoia levels because the spoofed sender was someone I know by name.

This morning they finally got me. I received an email from what appeared to be my daughter's email address, opened up the attachment and boom! I'm still trying remove the virus (TrojanDownloader:Win32/Drixed.B) and repair the damage. I still don't know if it's an incredible coincidence or something more sinister. My daughter's mailing address is quite unique.

Simon · Dec 24, 2014, 17:07:35

Have you tried Malwarebytes?

Technical Ben · Dec 24, 2014, 17:22:33

Sounds like either your own, or someone you knows email address list got hacked (off another pc etc). Which would give them a list, as you said, of peoples names and email addresses.

If your with the likes of Yahoo etc, they do occasionally get hacked (or possibly internal leaks?) en mass. Though the ISPs less so.

zappaDPJ · Dec 24, 2014, 17:35:02

Quote from: Simon on Dec 24, 2014, 17:07:35
Have you tried Malwarebytes?

To remove the virus? I did and it detects it but it can't remove the payload. It looks like the initial infection downloaded a load of other nasty stuff. I'm fairly sure I'm going to have to roll back to Sunday's backup which is a pain because I'll lose two days work.

Quote from: Technical Ben on Dec 24, 2014, 17:22:33
Sounds like either your own, or someone you knows email address list got hacked (off another pc etc). Which would give them a list, as you said, of peoples names and email addresses.

If your with the likes of Yahoo etc, they do occasionally get hacked (or possibly internal leaks?) en mass. Though the ISPs less so.

That did occur to me as a possibility but when I Googled the local company's email contents it is actually a known attack vector. It seems the people behind this are being quite clever, they starting spoofing well known companies but seem to have switch to smaller outlets such a charities and small localised companies.

How they came to spoof my daughter's email address is a worry though, that's far too close to home but I'm convinced it's the same people.

zappaDPJ · Dec 24, 2014, 18:12:16

Quote from: zappaDPJ on Dec 24, 2014, 17:35:02
I did and it detects it but it can't remove the payload.

Actually, I take that back, Malwarebytes doesn't recognise TrojanDownloader:Win32/Drixed.B as a virus. In fact Microsoft S.E. seems to be the only product that does so it's fortunate that I'm using it. It also appears this virus is new to the Internet.

Simon · Dec 24, 2014, 18:22:22

So, will MSE not remove it?

zappaDPJ · Dec 24, 2014, 18:44:58

It'll quarantine the attachment file and remove another virus that was downloaded when the infection first ran but it appears to have hooks deep into the operating system i.e. a reboot brings it all back again. It's not worth messing about with, I'll reinstall from a backup. Unfortunately viruses are getting so sophisticated now they simply can't be remove by anti-virus products. This one shouldn't have got through though, it's entirely my fault that it did.

Simon · Dec 24, 2014, 18:52:24

Well, you say that, but if MSE detects it, why didn't it block it in the first place?

zappaDPJ · Dec 24, 2014, 19:14:36

It quarantined the file, that was what alerted me to it but I guess the damage was already done because I'd run it from the email which was really stupid. I was 100% certain it was legitimate but I was obviously wrong.

Steve · Dec 24, 2014, 20:07:53

This sounds awful, a whole lot of work req'd to get back to two days ago.

zappaDPJ · Dec 25, 2014, 00:07:32

I'm now fully restored and still somewhat annoyed with myself for getting caught out in the first place. Now I have to two days work to redo before next Monday.

Technical Ben · Dec 25, 2014, 12:44:33

Similar thing happened last Christmas to a small 1 person office I was working at. Similar thing, the owner gets phone message attachments emailed in as it's easier than using an answer phone. Also gets tons of PDFs emailed in from clients. Hits the wrong attachement/email and the whole server gets a ransom trojan (deletes/replaces all files with porn names, which I got asked "you downloaded anything"

). To add to that, it appears due to a small error, the client virus scanner was installed on the server, and the server scanner on the client, so not sure if was even working properly.

Took it out for 2 days and they had to have their IT tech roll it all back to the daily backup.