virus is doc file

[pcpete]

We have a client who clicked on a virus in a doc file. When it tried to run it gave her some error about not running. I had the client shut off the computer after they spoke with me. It was probably running for about one hour.

I looked the the virus file on another insulated computer and it said it had a bin file inside of it. For that bin file to be ran, and have the virus install on the computer, does it need to be ran form an old outdated version of word? What happens if you run something like that with libre office? I am trying to understand how these files can run. If the client has a fully updated word and windows, did them most likely get lucky? Any insight would be appreciated.

 

[Porthos]

We have a client who clicked on a virus in a doc file.

Need to educate clients about attachments.

does it need to be ran form an old outdated version of word? What happens if you run something like that with libre office?

If the client allows the macros then all bets are off.

 

[britechguy]

Based on the evidence offered, I'd say there was not likely any harm done, and will not likely be. If the system comes back clean from a virus scan, and particularly an offline virus scan such as Windows Security under Windows 10 can perform, I would not be losing sleep.

I don't even know, really, what is meant by "clicked on a virus in a doc file." This is not meant as a criticism, but that is a vague description of exactly what steps occurred to trigger whatever it was that, based on all evidence, did not succeed in running.

Sending viruses via Office documents is very, very old-school, and generally very ineffective. But, and this is an important but, @Porthos is right that clients must be educated about never opening attachments from other than trusted sources, and even when something comes from a trusted source, if you weren't expecting anything, be very cautious and suspicious. And heaven knows you never click through on a link that does not come from a trusted source (and even for ones that do, if they use click-through text, take a look at what the actual link is before even thinking about activating it - hovering is enough in Word, or select it and hit CTRL+K).

I believe most of the office suites, including Libre, currently have macros disabled by default. I've had to turn them on for specific things I knew had them, and that were safe. I know that I never turned off macros in the last several versions of MS-Office, going back to either 2013 or possibly 2010. Right now I have Office 2016. They were forbidden to run unless explicitly allowed as the default state.

 

[pcpete]

I don't even know, really, what is meant by "clicked on a virus in a doc file." This is not meant as a criticism, but that is a vague description of exactly what steps occurred to trigger whatever it was that, based on all evidence, did not succeed in running.

She clicked on a .bin file virus encapsulated in a .doc file.

As to clicking on attachments, it was from her church's email and they specifically ask her for a bid (she is a caterer). It was a very well crafted scam.

 

[britechguy]

It was a very well crafted scam.

Which, sadly, do exist. It takes a lot of sophistication to craft such, along with time and effort. If she's a one-woman show, or even a several-person show, it makes me wonder what the target was. Not much payout from individuals or even very small businesses to go to this level of subterfuge.

These days even getting a credit card number doesn't give the thief very long to do much damage.

We'll never know, or at least I hope we'll never know. If the machine is coming up clean on all virus and malware scans, I'd feel pretty safe.

 

[Porthos]

She clicked on a .bin file virus encapsulated in a .doc file.

If it actually was able to run, It could have been an emotet trojan or ransomware.

 

[Markverhyden]

Actually this vector has become more active from what I have been seeing recently. I have a couple of email addresses with absolutely no filtering at all and I started seeing excel with embedded VB, word with embedded files as well as loaded html several months ago.

I think windoze will only attempt to automatically execute a binary file if the suffix is .com, .exe, or any other valid suffix. You can change the execute flag as well so the command processors will try to parse the file. Files identified as binary by M$ are usually complied for other platforms so will do nothing.

 

[fincoder]

It's likely a ransomware virus. Once started it encrypts all data files, but it does this one at a time and larger files take time, so it can take a while to encrypt all data files. If the user shuts down it terminates the virus and in my experience that ends the virus for good. In this case the user might not have realised yet that some of their data files are encrypted.

Word has blocked macros by default for many years. The reason the embedded virus runs in the doc is because the document text convinces the user and instructs them to go to settings and allow macros! So as with most common viruses and scams these days, it's mostly good-old social engineering.

 

[frase]

Sounds like the .bin had an .exe incorporated into a script to run when executed [opened].
It does not matter what you are running for it to be executed. Once one initiates the file by clicking onto it, it has already embedded into the .reg and spreads out from there. Was this on a network or just one system, hope just the one. As stated as it was running for over an hour, it does sound like some encryption taking place. Most business get these from malicous spearfishing - whereupon the hacker infiltrates the system from within - as fincoder stated via reverse social engineering. In getting users to think the email has come from a legitimate person they know.

I would isolate this system from any type of network, create an image of the drive. Work on this on an isolated machine - no network. Even better on a Linux distro on a throwaway USB. Check for any ransomware or virus, trojan etc or strange files on the system image.

 

[Diggs]

I thought any executable from a .bin file would still be picked up by the antivirus before running.

 

[Porthos]

I thought any executable from a .bin file would still be picked up by the antivirus before running.

Has to be known by the AV first.

 

[Diggs]

Has to be known by the AV first.

Wouldn't Windows ask for execution permission?

 

[britechguy]

There are a number of major roadblocks to the use of Office files as infection vectors these days, many of which have been listed here. While nothing's impossible, there's so much about their use that makes success improbable that no nefarious actor that's a real pro would consider going that route.

What astounds me is that someone who appears to have taken the time and effort to craft some very clever social engineering would use such for a vector that, these days, is virtually certain to fail.

And if we're talking Windows 10, and a standard account being used, it has as close to zero probability of succeeding as I can think of.

 

[Porthos]

Wouldn't Windows ask for execution permission?

When has that ever stopped a user from clicking yes if it did?

 

[britechguy]

When has that ever stopped a user from clicking yes if it did?

Very very seldom, but not never. I've had a couple of clients and also friends and acquaintances *this* *close* to disaster, but as they've hit stumbling blocks when heading toward the precipice, actually realized, "Hey, wait a minute, I really shouldn't be doing this!"

That's one reason I tell folks never to turn UAC off, particularly if they use an account with admin permissions. That nag can sometimes save one's bacon.