Comments

Document1 pretending to come from your own email address – JS malware leads to Locky ransomware — 32 Comments

  1. I am amazed that NOBODY has identified any of these low-lifes.
    Surely we could send an operative with a 22 to visit them.
    Only need to say hello to a couple and the word would get out.

    • Many of these scumbags are based in Russia and are part of big organised criminal gangs that just want to make a lot of money in the quickest and easiest way

    • But are you acting on SPF
      A high proportion of mail servers and sys admins set up SPF on outgoing mail so other companies know what to reject but don’t set up their email servers to act on SPF failures.

      There are some suggestions in the reddit topic in the first comment. However that depends on how you set up the server and how many users work from home or on the road and need to send emails that use a xxx@yourcompany.com email address from external IP numbers

  2. Hi,

    I have double clicked “Document2” …js through winrar, after what my Antivirus said he removed a trojan and I deleted the zip file.
    Might I be affected or my Antivirus just saved me? Should I do anything?

    Thanks,
    Joosep

  3. I accidentally opened Document2 on my MacBook Air today. I just saw a page of code/gibberish when I opened the js file. (I normally am very careful but I thought it was a file I had sent to myself, which I do regularly.) My computer was not locked with ransomeware, but I’m concerned it may be infected with a trojan that would steal my passwords/login info. It checked clean when analyzed by two different programs (one through the GeekSquad, the other from my professional computer repairman). Could my computer be infected? I’m afraid to log into my bank, credit card,social media, etc. accounts.

    Thanks,

    Michelle

    • It appears that most malware authors only write malicious code with the intention of targeting and infecting machines running windows as it is the most widely used and popular OS in the world, since you are using MacBook or even a computer running Linux the chances of you becoming infected are very minimal at this time, i wouldn’t worry too much about logging in to your bank or social media accounts just as long as you don’t open a .js file in Windows you should be Ok Michelle.

  4. I just opened document 2.zip on macbook, is this still windows-specific? And if so, should I still change my passwords etc? Finally, if I have deleted the download and cleared my trash, is it off my computer? Or is there any chance it could infect someone else?

  5. Is this a legitimate hack? the fact that it is ‘pretending’ to come from my own email address is worrying. Is it just clever spam or should I change my password?

    • it is just spoofing your email address and if you didn’t open the attachment, there is no risk. No one has your email password
      All they do is spoof the sender so it appears that it is coming from the same address as the recipient. Trivially easy to do

  6. I know I’m stupid and know very little about these things, but if one is right clicking the zip file and choose “open archive” to view the content. Is that safe?

  7. I’ve got the email yesterday. It was sent from my own account The name of the .ZIP file was “Document 2.zip” I’ve have deleted it and reported it to my email provider.

    I have a question. How can be possible that they’ve sent the email from my own account, how does this work? did the hacked my email account?

    Thanks

    • it is just spoofing your email address and if you didn’t open the attachment, there is no risk. No one has your email password
      All they do is spoof the sender so it appears that it is coming from the same address as the recipient. Trivially easy to do

  8. Pingback: 주의 Document2.zip 첨부파일 | Chris' Laboratory

  9. I received 2 zip attachments yesterday, 1 of them entitled ‘Document 2.zip’ with an empty email body, upon right clicking and extracting the file it read ‘FBT3688413323.js’ and the second contained the spoofed senders email address ‘afifashohab4523@gmail.com’, it contained the folder ‘mygov_6968825.zip’, on extraction another .js file, ‘XJR7645758012.js’ was there, i scanned these 2 files with both Superantispyware Pro and Norton Internet Security and neither app found the malware…i find this very worrying especially as they are both considered to be very reliable at dishing out these sort of threats, it seems that these fraudsters who aim to steal our passwords and our precious files are keeping one step ahead of being detected and good Anti-Virus programs need to address this issue sooner rather than later.

  10. Grateful for any advice on this. I received a 16-character.docm attachment in a mail (allegedly frpm myself) on my iPhone. I unfortunately clicked the attachment which opened a blank screen. Did my iPhone get infected by this? If so what can I do to get disinfected?

Leave a Reply

Your email address will not be published. Required fields are marked *