Dear students,
unfortunately our newsletter has received an e-mail containing a ZIP archive with a computer virus. The virus does not originate from the student council. We ask you to delete the file and the email immediately.
If you have downloaded the file by mistake, there are different possibilities:
- You downloaded it with Android or iOS but did not open it with Microsoft Office: Your smartphone is not infected, but please delete the file.
- You downloaded the file but did not unzip it: nothing happens. Please delete the file.
- You downloaded the file, opened it, but did not enter the password: Nothing happens. Please delete the file.
- You have downloaded, opened and unzipped the file, but you have not opened the Word file with Microsoft Office. Then your computer is probably not infected. Please delete the files immediately.
- You have opened the Word file with Word: Please scan your computer for viruses, it could be that a virus (Ursnif) has installed itself.
We would recommend you to use a scan tool for computer viruses, e.g. https://www.kaspersky.de/downloads/thank-you/free-virus-removal-tool.
More detailed information about this topic will be published here.
Update 1: More detailed findings on the virus. Its Ursnif
- If you have enabled Macros on the file in Microsoft Word (you will be prompted to do so), then a virus that downloads a spy banking Trojan called URSNIF will install itself automatically. The program linked above should be able to identify and delete the Trojan.
- This means that if you have downloaded the file, have a recent version of Word, but have not enabled editing and have not enabled macros, your computer should not be infected. But warning: You will not necessarily notice this virus. However, a full scan is recommended.
- Some additional information for those interested in IT:
- An analysis of the URSNIF file (which the virus retrieves from a Russian server) can be found here: https://www.joesandbox.com/analysis/399641/0/html
- An analysis of the Word file can be found here: https://www.joesandbox.com/analysis/700884
- A Virustotal analysis of the Trojan: https://www.virustotal.com/gui/file/127d2018e008677e5a0af20d8981806e07e3b57285787800554708803aaca6bd/summary
Update 2:
- If you have Windows, have unpacked the virus and opened the Word file in Microsoft Word and enabled Macros (in Settings or at the virus’s request), then we strongly advise running an antivirus boot CD (or USB stick). Here you can find a test: https://www.security-insider.de/antivirus-boot-cds-im-test-system-und-dateien-im-notfall-retten-a-301166/ a english Description can be found here: https://www.techradar.com/best/best-antivirus-rescue-disk
- The RRZE has updated its article on the topic. The findings confirm our analysis from the first update. (Thanks a lot!)
Further links to the topics:
https://www.rrze.fau.de/2021/04/warnung-vor-e-mail-mit-anhang-von-dem-newsletter-der-studierendenvertretung/