Kudos to Microsoft Security Essentials for picking up the nasty attachment being pumped out like crazy by the clean-skin botnet recently, while most of the other scanners failed to detect it. However, it was wrong about the identity of the malware. It’s not Peals.F!plock, as I originally reported with skepticism. It’s now detected as a variation of something known as Troj/DocDl-YU (to use the name give by Sophos). Read about it here:
This uses Microsoft’s Office macro language to download further malware from the Internet and install it on the victim’s PC, so if anyone activates it there’ll be more than just this Trojan downloader to worry about. As it’s a Microsoft Word document, people tend to open it. If the government really wants to spend money telling the public how to avoid falling victim to cybercrime, they should start by warning about sending documents by email, instead of the current nonsense. Microsoft might get the hump, though, and as I understand it, they’re acting as advisors.
If people have macros disabled on Word, they’re probably okay as long as they don’t get tricked in to enabling them. I’m not hopeful in this regard.
Meanwhile, those behind it are changing the message tweaking the payload to avoid detection – quite successfully! The latest incarnation reads:
From: UUSCOTLAND@example.com
Subject: Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of 22 September 2015 to 22 October 2015.
If you would like any more help, or information, please contact me on 0345 #######. Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to help you. Alternatively you can email me at UUSCOTLAND@example.com
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 ####### (#####)
They appear to be updating it every morning at around 0800Z. Let’s see what we get tomorrow.