This Ring Central New Fax Message is an updated version of THIS. This new version uses a fake word.doc file inside the zip instead of the older fake pdf file. The files they download are now encrypted and are the start of a newer run of the upatre -zbot runs that make it harder to detect and clean the malware associated with them. The second version out today ( 29 Jan 2014) has kept to the new encryption routine but reverted to the more usual  fake PDF inside the zip file. I assume we will see a constant switching between the 2 types.

There is  an updated or revised/repacked version of this malware almost everyday. We will only add to this post when the malware drastically changes. The names stay consistent ( which extracts to fax.pdf.exe ) and the zip file size is normally between 7 and 11 kb in size. They do periodically update the email to give a new date for the fax.

8 April 2014: a change to this today and instead of a zeus/Upatre downloader we are getting pushdo/Wigon backdoors

Ring Central New Fax Message is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

 Ring Central New Fax Message

Ring Central New Fax Message







29 January 2014 : (10kb)    extracts to    fax.doc.exe       Current Virus total detections:26/49                MALWR Auto Analysis:

Second Version29 January 2014 : (10kb)    extracts to    fax.pdf.exe       Current Virus total detections:13/50                MALWR Auto Analysis:

30 January 2014 : (10kb)    extracts to    fax.pdf.exe       Current Virus total detections:  10/49

31 January 2014 : (10kb)    extracts to    fax.pdf.exe       Current Virus total detections:  2/49

5 February  2014 : (11kb)    extracts to    fax.pdf.exe       Current Virus total detections:  10/51

11 February  2014 : (8kb)    extracts to    fax.pdf.exe       Current Virus total detections:  1/49   but see the unextracted zip detections 14/49

8 April  2014 : (55kb)    extracts to    fax.pdf.exe       Current Virus total detections:  8/50

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Word doc file or a PDF  instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.