Section 1: What email did I receive, and how did I determine it contained Malware?


This weeks Malware email was a little different from most I receive which claim to be from credit and reputation reporting agencies, payment facilitators, and service providers….This one claimed to come directly from my own Xerox Scanner!

Xerox Scanner Malware

We don’t have a Xerox branded scanner in our office, so for me, this was actually quite easy to spot as a non-legitimate email.  But how would you figure it out if you do have a Xerox scanner that does scan-to-email?

  • Look at the attachment.  In this case the attachment is a zip file, which is not the regular way that scanners send scans via email (well most of them anyway).
  • Look at the sender address, does it match the address you would usually see when getting a scan from your Xerox scanner?


If you receive this email delete it immediately.  It should cause no harm to your computer unless you run the executable inside the attached zip file.


Additionally, if you are using Office365, or an on-premises email solutions provided by AIM Communications, your email anti-virus should pick this email up and quarantine or delete it before you get it.



Section 2: What Malware did I receive, and what does it do?


This email, like a lot of Malware emails going around recently, contains a Trojan commonly known as “Trojan/Win32.Tepfer”.


We have written about this Trojan before, being attached to an email claiming to be from eFax Corporate, as well as an email claiming to be from Experian.


For convenience, I will also include the description below.


Tepfer is a subclass of Malware known as “Ransomware”.  Ransomware is designed to disable your computer in some way, and then demand you pay to restore full functionality.  Read more about Ransonware here


Specifically, Tepfer encrypts files in your user profile, and will not unlock them until you make payment to the Malware author.  It also replaces your desktop with a notice from the “Stop Online Piracy Automatic Protection System”, with details on how to make payment.  An example of the notice is below:

Sofilblock A




Section 3: What do you do if you have been infected with this Trojan?


Removing this Trojan is harder than most because it disables your desktop, preventing you from running an anti-virus scan.  Depending on how badly it has infected your computer, you could switch user profiles to a profile that is not infected and scan from there.


Some people will not have this option, either because they do not have a second user profile, or the second user profile has been infected as well.



AIM Communications can perform the Malware removal for you.  Please call us on 1300 246 266, or email if you would like our assistance.


Do you have any questions, comments?  Email us on


Interested in receiving these in your inbox as we write them?  Simply fill in your email below and click “Sign me up!”