Picture the scene.
You receive an email from someone inside your company. He tells you that there is a virus problem inside the company and it has resulted in data being stolen and some files being deleted.
You are told to install an anti-virus tool to clean-up the infection properly. The link appears to point to a download on your company’s own website.
Would you do it?
Well, hopefully not. But people less savvy in security matters might be fooled.
Here is the email that has been spammed out to a number of large companies (click for a larger version):
Subject: IT Notice
Just a quick alert to let everyone know that our company have experienced a new kind of virus to web space and personal computer. found that the computer system information leaked, such as in other server information is moving, a few files deleted. Expert written virus removal tools to help us fully remove this virus, Please download and install the patch, obtain virus definitions, and run the removal tool.Download the tool from: [LINK]. Please Back Up Your System Databases, If any questions, please do not hesistate to contact IT department.
Although the link appears to the naked eye to point to a file called antivirus.exe on your company’s own server (for instance, if your company’s website was called example.com it would appear to link to www.example.com/download/antivirus.exe) it really directs your browser to a download on a third-party website.
In this way it tricks you into believing you are download an approved anti-virus update from your company’s IT department, but you are really fooled into installing a Trojan horse.
Sophos anti-virus products detect the malware as Mal/Generic-L and Troj/Inject-QL.
The bogus email says (in rather poorly written English)
"If any questions, please do not hesistate to contact IT department."
Well, that’s precisely what you should do. If ever in doubt, check with your IT department whether the advice you have received is genuine. They’ll much prefer you double-checking than you putting the network at risk from malware infection.