On 10/02/2016 17:42, Ted Roche wrote:
<snip>
Do you understand the mechanism within the DOCX files that's
deliverying the payload?
No, but don't think it would help me anyway. We just need a reliable
way of determining if the word (or excel) file is infected. When they
don't show up on xx virus scanners on virus total what can you do?
I wonder if opening the DOCX files in a different reader, like
OpenOffice might disarm the payload. Be careful: you're playing with
fire, here. Supposedly, you can completely disable macros with:
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12
Our users sometimes get spreadsheets with macros from customers so
occasionally need to use this feature. The article also shows that you
can disable the feature but for trusted documents put them in a trusted
location to run the macro. will have to check if this is viable.
We have just wiped the machine that did the damage but still could not
detect anything on it. You just could not trust the machine as it was.
Turns out we were hit by crypto wall 4, but still don't know how it got
onto the machine. It might have been an email attachment but we can't
find anything suspicious in his email archive.
Peter
Brave Soul at Pure London
14th-16th Feb
Stand F44
Mens and Womens
SS16 Stock and AW16 Preview
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR.
Tel:0161 831 3700
Fax:0161 831 3715
London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
