Section 1: What email did I receive, and how did I know it was Malware?

 

This Malware email has been popping up periodically over the past few months, each time with a slightly different Malware variant attached.  Below is an example of the email that I received:

 

Dun and Bradstreet Malware

 

This email is a little harder than most to distinguish as Malware, for 2 reasons:

  • It does not contain spelling mistakes, a hallmark of Malware emails
  • Links inside the email went back to www.dandb.com, which is actually the official website of Dun and Bradstreet

 

On the other hand, there were a few clear indicators that the email was indeed Malware:

  • It was from Dun and Bradstreet, a company that does reputation reporting for the US and Canada, not Australia where I am based.  I have never dealt with this company before either.
  • It had a zip file attached.  Why would they send me a word processor document in a zip file?

 

If you receive this email, delete it immediately, it should cause no harm to your computer unless you run the executable inside the attached zip file.

 

Additionally, if you are using Office365, or an on-premises email solutions provided by AIM Communications, your email anti-virus should pick this email up and quarantine or delete it before you get it.

 

If you are interested in what the Malware attached to this email does, read on.

 

 

Section 2: What Malware did I receive, and what does it do?

 

I received two copies of it today, both came with a Trojan commonly known as “Trojan/Win32.Tepfer”, which I will refer to as Tepfer going forwards.

 

Tepfer is a subclass of Malware known as “Ransomware”.  Ransomware is designed to disable your computer in some way, and then demand you pay to restore full functionality.

 

Specifically, Tepfer encrypts files in your user profile, and will not unlock them until you make payment to the Malware author.  It also replaces your desktop with a notice from the “Stop Online Piracy Automatic Protection System”, with details on how to make payment.  An example of the notice is below:

 

sofilblock

 

 

Section 3: What do you do if you have been infected with this Trojan?

 

Removing this Trojan is harder than most because it disables your desktop, preventing you from running an anti-virus scan.  Depending on how badly it has infected your computer, you could switch user profiles to a profile that is not infected and scan from there.

 

Some people will not have this option, either because they do not have a second user profile, or the second user profile has been infected as well.

 

 

AIM Communications can perform the Malware removal for you.  Please call us on 1300 246 266, or email service@aimcom.com.au if you would like our assistance.

 

Do you have any questions, comments?  Email us on blog@aimcom.com.au.

 

Interested in receiving these in your inbox as we write them?  Simply fill in your email below and click “Sign me up!”