I received an email yesterday and it was held on my Firewall that collects attachments and analyses them before they are released.
I decided to look at this file today and see what goodies were waiting for me. This word document was not flagged and malicious but was held because is was suspicious. I downloaded the file on my computer and 2 AV engines did not catch it as being an issue. I decided to execute the file on a cloud based malware research tool.
What I discovered that after 24 hrs. the file was not considered a threat but 32 or the 57 AV engines. Some of the most popular companies either did not have the intelligence yet or did not consider it a threat yet.
The results were interesting. This file created/dropped 7 files on the system, 2 were VMdetect files that look for Sandbox environments that researchers use to safely execute malicious files. If it finds that it is in a sandbox, the trojan file becomes benign.
I also noticed that the file encoding was Cyrillic.
I then looked at the registry keys that were affected, about 800 registry keys were modified, try cleaning that up.
In its behavior, it made winword.exe (Word) behavior change 1332 times.
What I learned from this malware, you need something or someone to analyze all incoming files in to your environment, be it a NextGen Firewall with email handling, Multi-AV engine solutions running on peoples computers and someone to call in case someone accidentally triggers this Word document.
Today, the only practice we can recommend to clean up any type of infection would only be a “Wipe The Drive” or at today’s prices, replace the drive and destroy it. If the malware actually ran on my system, it could have modified my bios, so every time I rebooted, it would re-infect the computer, and that would be a worst case scenario, but more commonly you will find that they hide in boot sectors of hard drive or may create hidden area in the drive and may call itself when it is programed.
Federal Privacy Law Pipeda On June 18, 2015, the Digital Privacy Act received Royal Assent. The Act introduces a number of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), most of which are now in force. For more information about the amendments, please see our fact sheet on the Digital Privacy Act.