Two or three days later, although many people had posted warnings about the letter on the web, nobody appeared to have analysed the threat, nor could I find any technical details on the websites of the main internet security companies.
As a result, A222 decided to make their own investigation. Two of my customers have received the email and I am grateful to Andall-Legal forwarding me a copy for analysis purposes.
FINDINGS
- The email contains an attachment : a Word document called sra.docm.
- This does contain a virus, actually a Trojan* called Win32/Injector.AYKU
- Antivirus programs fail to spot the infected mail because it is disguised.
- PCs are vulnerable.
- MACs look as if they could get infected but the trojan may be ineffectual.
- Trojan was intercepted by the ESET anti-virus when it tried to do anything. Other anti-virus programs might or might not be so vigilant.
- Trojan was only detected in February and it's exact effect is not yet documented.
- Although this particular trojan was identified, other instances of the email might contain a different trojan or virus.
(* viruses can reproduce and spread, trojans cannot)
- If you haven't opened the attachment then no problem.
- If you've previewed it in Outlook 2007/2010/2013/365 or via a web browser then no problem. If you've previewed it in earlier Outlook or any other program then please contact us for advice (see below).
- If you opened the attachment then you may still be safe but further analysis is required. Do please contact us for advice.
- Do NOT delete the email - a copy will be needed for analysis.
- Initial tests suggest that Word 2003 is not vulnerable but later versions are at risk.
A222 may be contacted on 020 8 662 1124 or via sra@a222.co.uk
RELATED INFORMATION
RELATED INFORMATION
- Warning from the Law Gazette, 28th February 2014
- Technical data from A222.
- Trojan information for Win32/Injector.
