I checked my email last week and discovered a message from a person saying they received a subpoena sent on my behalf, by email. The message had a Word document attached that was the alleged subpoena. It's obviously infected because subpoenas aren't sent by email (besides, I'm not suing him). I read it on my iPhone and thought about opening it to find out what it was infected with – it won’t infect the phone but I wouldn’t learn much either, so I forwarded it to a friend to check out.
Derek took a quick look and reported that the “malicious word doc has 2 copies of a RTF file embedded inside it (MALWR) that when extracted deliver an embedded fareit password stealing malware. These malicious word docs normally also drop a Upatre downloader that in turn download a dyreza banking malware but although the macro inside the word doc seems to indicate that it should do, I haven’t yet managed to extract it yet”.
As far as I’m concerned, what it is infected with is not as important as what you do when you receive a suspicious document. If you receive a suspicious or questionable message with an attachment, don’t open it, don’t reply to it. Just delete it.
While the reading pane is safe to use for email and most attachments will open in a read-only state, looking at a suspicious file not worth the risk - leave that to the pros. If a message looks a little sketchy, don’t even preview it. Hit Delete and move on.
So what if you have an “oops” moment and accidently open a questionable document? If you are using a modern version of Office and are using the default Office settings you might be protected. Office 2010, 2013, and 2016 have macros disabled and protected view on by default. If you or your company enabled macros, you will be protected by Protected View. Protected view prevents macros from running in documents received from Internet sources, including email. Yes, it can be annoying if you receive a lot of attachments by email, but it helps to keep you safe.
If Protected View mode is turned off and macros are enabled, then opening a malicious word document can infect you. When you preview or open an attachment, Outlook will write it to the SecureTemp folder, where it will be scanned by your virus scanner. If the exploit is older, your scanner may catch it, but it’s not worth the risk. New exploits not yet in the virus definitions will be missed!
Definitely DO NOT enable macros or enable editing to see the content, even if a message in the document says you need to enable macros and editing to read the document. DO NOT DO IT!
If you are using an older version of Office, you should seriously consider upgrading. If that is not in the cards right now, make sure all updates are installed and keep your antivirus updated. And be extra alert for infected attachments.
Should you reply to the sender and let him know he is sending infected messages? If you don't know the person, no. If the sender is a real person, he is an innocent victim. It’s less likely his email system is compromised and more likely that his details were spoofed on the message. If it's a person you know, you can let them know. If you are in their address book, it's more likely their account was compromised and they will need to change their password.
If you are interested in reading about it, Derek's write up on the document I received is here: I got this subpoena in my mail box today. In addition to describing the exploits, Derek tells you what you can do to protect yourself, should you receive an infected attachment.
More Information
"How to check your Macro and Protected View Settings"
"How Safe is the Reading Pane?"
