Sneaky fake company virus warnings trick users into installing malware

Graham Cluley
Graham Cluley
@[email protected]

Malicious emailPicture the scene.

You receive an email from someone inside your company. He tells you that there is a virus problem inside the company and it has resulted in data being stolen and some files being deleted.

You are told to install an anti-virus tool to clean-up the infection properly. The link appears to point to a download on your company’s own website.

Would you do it?

Sign up to our free newsletter.
Security news, advice, and tips.

Well, hopefully not. But people less savvy in security matters might be fooled.

Here is the email that has been spammed out to a number of large companies (click for a larger version):

Malicious email. Click for larger version

Subject: IT Notice

Message body:
Dear all,

Just a quick alert to let everyone know that our company have experienced a new kind of virus to web space and personal computer. found that the computer system information leaked, such as in other server information is moving, a few files deleted. Expert written virus removal tools to help us fully remove this virus, Please download and install the patch, obtain virus definitions, and run the removal tool.Download the tool from: [LINK]. Please Back Up Your System Databases, If any questions, please do not hesistate to contact IT department.

Although the link appears to the naked eye to point to a file called antivirus.exe on your company’s own server (for instance, if your company’s website was called it would appear to link to it really directs your browser to a download on a third-party website.

In this way it tricks you into believing you are download an approved anti-virus update from your company’s IT department, but you are really fooled into installing a Trojan horse.

Sophos anti-virus products detect the malware as Mal/Generic-L and Troj/Inject-QL.

The bogus email says (in rather poorly written English)

"If any questions, please do not hesistate to contact IT department."

Well, that’s precisely what you should do. If ever in doubt, check with your IT department whether the advice you have received is genuine. They’ll much prefer you double-checking than you putting the network at risk from malware infection.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.