Section 1: What email did I receive, and how did I know it was Malware?


I receive this Malware email from time to time (typically around once or twice a month), the last two times I have received it, it has had the same Malware variant attached.  Below is an example of the email that I received:


eFax Corporate Malware

This email was actually quite easy to identify as Malware, for 2 reasons:

  • Our business does not use eFax
  • The email was sent to several email addresses (our company domain), but most of the email addresses were incorrect (, as examples)


If you receive this email, delete it immediately, it should cause no harm to your computer unless you run the executable inside the attached zip file.


Additionally, if you are using Office365, or an on-premises email solutions provided by AIM Communications, your email anti-virus should pick this email up and quarantine or delete it before you get it.


If you are interested in what the Malware attached to this email does, read on.



Section 2: What Malware did I receive, and what does it do?


This email came with a Trojan commonly known as “Trojan/Win32.Tepfer”, which I will refer to as Tepfer going forwards.  We have written about this Trojan before, here is a link to the previous article.


It’s also important to note that although this Malware has been going around the internet for nearly 3 weeks, only 33 of the 46 most common anti-virus vendors detect and protect against this Malware currently.  This is why it is important to use a good anti-virus product, not just any anti-virus product.


Both of the products that AIM Communications supplies and maintains detect and protect against this Malware.  These products are Trend Micro, and Mircosoft Forefront (for Office365 Users).


Tepfer is a subclass of Malware known as “Ransomware”.  Ransomware is designed to disable your computer in some way, and then demand you pay to restore full functionality.


Specifically, Tepfer encrypts files in your user profile, and will not unlock them until you make payment to the Malware author.  It also replaces your desktop with a notice from the “Stop Online Piracy Automatic Protection System”, with details on how to make payment.  An example of the notice is below:





Section 3: What do you do if you have been infected with this Trojan?


Removing this Trojan is harder than most because it disables your desktop, preventing you from running an anti-virus scan.  Depending on how badly it has infected your computer, you could switch user profiles to a profile that is not infected and scan from there.


Some people will not have this option, either because they do not have a second user profile, or the second user profile has been infected as well.



AIM Communications can perform the Malware removal for you.  Please call us on 1300 246 266, or email if you would like our assistance.


Do you have any questions, comments?  Email us on


Interested in receiving these in your inbox as we write them?  Simply fill in your email below and click “Sign me up!”