Section 1: What email did I receive, and how did I know it was Malware?
Writing a compelling Malware email is a lot like writing effective marketing copy; it has to catch your attention and compel you to take action. This Malware email is no different:
This particular Malware email claims to be from Experian, a credit reporting agency. It claims that there has been a change to your credit report and that you should view the attached report to see the change.
On the surface, the email seems legitimate enough. It doesn’t scream “Malware” when you initially look at it. It has been well worded and layed out. Experian operates in Australia (amongst other countries), so it seems feasibile that this is a legitimate email about my credit.
The big giveaway on this email is the zipped attachment. Malware is typically zipped to avoid Malware scanners or programs that block running executable files directly from email.
If you receive this email delete it immediately. It should cause no harm to your computer unless you run the executable inside the attached zip file.
Additionally, if you are using Office365, or an on-premises email solutions provided by AIM Communications, your email anti-virus should pick this email up and quarantine or delete it before you get it.
If you are interested in what the Malware attached to this email does, read on:
Section 2: What Malware did I receive, and what does it do?
This email came with a Trojan commonly known as “Trojan/Win32.Tepfer”, which I will refer to as Tepfer going forwards.
Tepfer is a subclass of Malware known as “Ransomware”. Ransomware is designed to disable your computer in some way, and then demand you pay to restore full functionality. Read more about Ransonware here
Specifically, Tepfer encrypts files in your user profile, and will not unlock them until you make payment to the Malware author. It also replaces your desktop with a notice from the “Stop Online Piracy Automatic Protection System”, with details on how to make payment. An example of the notice is below:
Section 3: What do you do if you have been infected with this Trojan?
Removing this Trojan is harder than most because it disables your desktop, preventing you from running an anti-virus scan. Depending on how badly it has infected your computer, you could switch user profiles to a profile that is not infected and scan from there.
Some people will not have this option, either because they do not have a second user profile, or the second user profile has been infected as well.
AIM Communications can perform the Malware removal for you. Please call us on 1300 246 266, or email email@example.com if you would like our assistance.
Do you have any questions, comments? Email us on firstname.lastname@example.org.
Interested in receiving these in your inbox as we write them? Simply fill in your email below and click “Sign me up!”