The spammed malware attack continues, but Microsoft SE has been getting it wrong

Kudos to Microsoft Security Essentials for picking up the nasty attachment being pumped out like crazy by the clean-skin botnet recently, while most of the other scanners failed to detect it. However, it was wrong about the identity of the malware. It’s not  Peals.F!plock, as I originally reported with skepticism. It’s now detected as a variation of something known as Troj/DocDl-YU (to use the name give by Sophos). Read about it here:

This uses Microsoft’s Office macro language to download further malware from the Internet and install it on the victim’s PC, so if anyone activates it there’ll be more than just this Trojan downloader to worry about. As it’s a Microsoft Word document, people tend to open it. If the government really wants to spend money telling the public how to avoid falling victim to cybercrime, they should start by warning about sending documents by email, instead of the current nonsense. Microsoft might get the hump, though, and as I understand it, they’re acting as advisors.

If people have macros disabled on Word, they’re probably okay as long as they don’t get tricked in to enabling them. I’m not hopeful in this regard.

Meanwhile, those behind it are changing the message tweaking the payload to avoid detection – quite successfully! The latest incarnation reads:


Subject: Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of 22 September 2015 to 22 October 2015.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

If you would like any more help, or information, please contact me on 0345 #######. Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to help you. Alternatively you can email me at

Kind regards


Melissa Lears

Billing Specialist

Business Retail

United Utilities Scotland

T: 0345 ####### (#####)


They appear to be updating it every morning at around 0800Z. Let’s see what we get tomorrow.


Leave a Reply

Your email address will not be published. Required fields are marked *