Thanks Bob for this research. We should be safe, even if a user opened it
here, but yeah, it's possible that we wouldn't be....
So the question remains, can we get AFC modified to reject
encrypted/password protected Office documents - or RTF office files -
altogether? The reasoning is the same as rejecting encrypted zip files.
On Tue, Oct 18, 2016 at 3:24 PM, Robert K Coffman Jr. -Info From Data Corp.
<bcoff...@infofromdata.com> wrote:
> Ok, thanks to Doug and Ken for sending me a sample.
>
> This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS")
> and then connects to server(s) to download additional Malware, if the
> user opens it, enters the password (and has a version of Word that
> recognizes it) and then enables macros. I'd like to think that series
> of events is unlikely, but I know better.
>
> Some IPs I saw this system connected to on my firewall. Some of these
> may be legit and not malware relate (this is a re-imaged system and
> Office was trying to activate.)
>
> 23.35.18.164
> 8.253.32.142
> 184.51.112.8
> 184.51.112.154
> 13.107.4.50
> 184.51.112.8
> 134.170.53.30
> 23.96.212.225
> 191.237.218.239
> 23.96.212.225
>
>
> I haven't seen this thing hitting my mail server yet.
>
>
> - Bob
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
