1

I got a mail from my professor this morning with a request.zip file attached and a password in the mail to open it. Since the mail was from my professor and he already did send me zip attachments I didn't think about it and opened it, but it ended being a strange word document. Later he wrote the whole team a mail that he has a virus and that we shouldn't open the attachment. I updated my antivirus software (GDATA-Internet Security) and ran two virus scans but it didn't find anything on my computer. It looks like the following two examples I found on this and another blog. You can find them here (1) and here (2) What should I do now? Is there a way to find the data on my computer?

borcho
  • 550
  • 2
  • 15
Paul
  • 11
  • 2
  • You could upload the Word document (not the encrypted .zip) to [VirusTotal](https://www.virustotal.com/gui/); it should give you a better idea what the malware is. – Gordon Davisson Apr 21 '21 at 02:26
  • It is my personal Laptop that I manly use for university stuff. I gave it to the IT guysfrom my university yesterday and they found the trojan virus quite fast and were able to delete it and other malware from my device. But thanks to you all for the tips. – Paul Apr 21 '21 at 09:55

3 Answers3

1

In basic I think that word document contained a macro that got executed and probably audited your system for any AV software and then downloaded the real malware. I would suggest to reinstall the whole system if that's possible and check for strange behavior in the network as this malware may try to look around the network to see what else is there. Yes, there is a chance to find all data on your computer and send it to remote server where will be stored and wait for someone to check it. I would recommend getting an secure computer/laptop that was not in the network to prevent any further spreading of the malware and change all passwords that you have stored/used on the infected system.

mrSotirow
  • 152
  • 1
  • 3
1

You have been infected. Now you must assume total breach , save the essential files in a pendrive / hard disk (and double check that they do not contain malware) , change EVERY password of every service that could have been used from your computer and reinstall the OS.

borcho
  • 550
  • 2
  • 15
0

Modern Office requires the user to allow macros to run by clicking the yellow security bar. This should be the default setting. Can you verify this? Did you allow it to run? If you did, it can spread in to other documents and templates. Are you using something like Libre/Open Office? Then you should be safe, unless it was an Open Office formatted document that you openend, since OO it has its own scripting language?

Since you already opened or ran it, you might as well run it again to try to see what it does. Apparently MS Office macros can have a compiled version for performance reasons that can differ from the non compiled macro, and macro viruses use this to make it look like the macro is safe, but the compiled macro is actually different. See https://www.schneier.com/blog/archives/2019/05/malicious_ms_of.html

Do you use a limited user account, or have UAC turned on? Then the impact would be within your account. There shouldn't be any need to reinstall Windows.

You could try submitting the extracted ZIP file contents to your antivirus software company. Once it gets added to their database, you should be able to scan your computer for what remains of the virus. You may want to try to verify that nothing else got downloaded after the macro was run though, since that would allow it to install something other than what you submit to your AV company, so your AV wouldn't catch it. You could open the macro in a different user account or a limited account on another computer to check to see if it downloads anything.

Alex Cannon
  • 402
  • 2
  • 7