none
A possible virus

    Question

  • I received an email from a person that had the exact same name as one of my contacts. They have sent me a .docx file. I made a mistake of downloading it on my phone and then the the file kept on downloading over and over again, even though i see just one file downloaded. I thought may be it was sending some of my info over to someone, so i disconnected internet which stopped the downloading. I deleted the file and then re-enabled internet and things seem to be ok now.

    I downloaded the file in a VM and edited the file to find 3 VBscripts embedded. I don't know VB so i can't make sense of it. I am worried as to what this did to my phone or if it actually sent information to some place. Would someone help me make sense of this code

    Really appreciate


    Thursday, March 9, 2017 5:21 PM

Answers

  • The code (now removed) is heavily obfuscated to conceal what it is doing. It is not worth trying to figure out, except to say there are many functions, subroutines, and for loops. Many steps to just take up time. But it also opens something, writes to a file, sets an environment variable, and runs something. Clearly no good.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, March 9, 2017 7:18 PM
    Moderator
  • They'll help you over here.

    https://answers.microsoft.com/en-us/protect

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, March 9, 2017 6:31 PM
    Moderator

All replies

  • They'll help you over here.

    https://answers.microsoft.com/en-us/protect

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, March 9, 2017 6:31 PM
    Moderator
  • The code (now removed) is heavily obfuscated to conceal what it is doing. It is not worth trying to figure out, except to say there are many functions, subroutines, and for loops. Many steps to just take up time. But it also opens something, writes to a file, sets an environment variable, and runs something. Clearly no good.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, March 9, 2017 7:18 PM
    Moderator