Wonder why it is difficult to email a new exe to a customer? I put it in a zip file.
On Thu, Feb 11, 2016 at 7:21 AM, Peter Cushing <pcushing@whisperingsmith.com
wrote:
On 10/02/2016 17:42, Ted Roche wrote:
<snip>
Do you understand the mechanism within the DOCX files that's deliverying the payload?
No, but don't think it would help me anyway. We just need a reliable way of determining if the word (or excel) file is infected. When they don't show up on xx virus scanners on virus total what can you do?
I wonder if opening the DOCX files in a different reader, like OpenOffice might disarm the payload. Be careful: you're playing with fire, here. Supposedly, you can completely disable macros with:
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-...
Our users sometimes get spreadsheets with macros from customers so occasionally need to use this feature. The article also shows that you can disable the feature but for trusted documents put them in a trusted location to run the macro. will have to check if this is viable.
We have just wiped the machine that did the damage but still could not detect anything on it. You just could not trust the machine as it was.
Turns out we were hit by crypto wall 4, but still don't know how it got onto the machine. It might have been an email attachment but we can't find anything suspicious in his email archive.
Peter
Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email. www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715 London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
[excessive quoting removed by server]