This claims to be a fax, I'm supposed to read it using MS Word.
SHA256: 92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8
It's malware, of course. 28 people on VirusTotal have flagged it as malware, and 9/54 products flag it. Here's the ones that don't detect any problem:
ALYac
AVG
Ad-Aware
AegisLab
Agnitum
AhnLab-V3
Alibaba
Antiy-AVL
Avast
Baidu-International
BitDefender
Bkav
ByteHero
CAT-QuickHeal
CMC
ClamAV
Comodo
Cyren
DrWeb
Emsisoft
F-Prot
Fortinet
GData
Ikarus
Jiangmin
K7AntiVirus
K7GW
Kaspersky
Malwarebytes
McAfee
McAfee-GW-Edition
MicroWorld-eScan
Microsoft
NANO-Antivirus
Qihoo-360
Rising
SUPERAntiSpyware
Symantec
Tencent
TheHacker
VBA32
ViRobot
Zillya
Zoner
nProtect
According to VirusTotal, it was first uploaded 7 hours ago. This is the same file as I uploaded a few hours ago "Another incoming DOC file", you can tell because it has the same SHA256. So, in the last few hours, four more products have started to flag it.
25 years ago, viruses spread very slowly; quarterly updates were good enough - monthly if you were paranoid. I'd tell people "If you see a virus today, I probably saw it six months ago". Actually the lag was more than a year.
Today, it's a completely different situation. This file, according to its internal stats, was last updated on 2015:10:28 08:19:00 - that's today! For the signature-scanning-with-updates approach to work today, products need to be updated more often than hourly.
I suspect that's not possible. The virus lab would have to acquire the specimen, sufficiently analyse it, choose a scan string that wouldn't give false alarms, test all this and upload it to all their customers. To do all this within an hour? And they're in a race. The malware distributor sent out a million emails, all these have arrived at your customers' mailboxes, and now you get to see a specimen. You're racing against your customers opening the file, reading the message, and deciding to open the DOC file because it's really really important.
Better, would be to disable automated running of macros. But, of course, if you do that, you don't need an antivirus to flag this as malware.
... later ...
14 hours after it was first uploaded to Virustotal, 22 out of 55 products flag it as malware. The products still failing to flag it are:
ALYac
AVG
AegisLab
Agnitum
AhnLab-V3
Alibaba
Antiy-AVL
Avast
Avira
Baidu-International
Bkav
ByteHero
CAT-QuickHeal
CMC
ClamAV
Comodo
Jiangmin
K7AntiVirus
K7GW
Malwarebytes
McAfee-GW-Edition
NANO-Antivirus
Qihoo-360
Rising
SUPERAntiSpyware
Symantec
Tencent
TheHacker
VBA32
ViRobot
Zillya
Zoner
nProtect
No comments:
Post a Comment