Skip to Main Content
Home
Blog
Looks like one Avira email but… this is bait!
Looks like one Avira email but... this is bait!

Looks like one Avira email but… this is bait!

8 March 2017 by

7 years ago

It’s well known that Ransomware often spreads via email. Most of them are phishing emails.

Looks like one Avira email but... this is bait! - in-post

Of late some of those emails are claiming in their subject line that they are an invoice from Avira. But that’s not all: they also come with a malicious attachment.

Looks like one Avira email but... this is bait! - in-post
The message states: Avira – virus protection invoice with the number 329080 Attached you can find your digitally signed invoice.

Are those real Avira mails?

No. Avira will never send an email like this one. But, the risk goes far beyond just Avira. You should always be extremely cautious in opening email attachments as spam emails are increasingly personalized. They can contain surprisingly detailed information like your name and surname. In this case, the ransomware that is being spread through this phishing email is the well-known Cryptolocker. Avira already detects and protects you against this kind of threats. Strictly for informational purposes, we are going to show you how the malware infects your machine.

This is what happens when you download & open the attachment

Once the attachment “zip” file is open and the content executed, one file will be downloaded from the browser.

Looks like one Avira email but... this is bait! - in-post
How it looks alike by using the Internet Explorer browser. The message states: Please print this invoice.
Looks like one Avira email but... this is bait! - in-post
How it looks alike by using the Google Chrome browser.

 

Looks like one Avira email but... this is bait! - in-post
Downloaded file

As you can see in the pictures, some browsers will notice that something is wrong with the downloaded file. If we ignore the warnings and execute it, another “exe” file will be downloaded. This one will finally infect our machine and encrypt our files. The ransomware will show you the necessary steps you must follow in order to (maybe) recover the encrypted files.

Looks like one Avira email but... this is bait! - in-post
The message states: Warning – We have encrypted your files with the CryptßL0cker virus.
Looks like one Avira email but... this is bait! - in-post
This is the tutorial how to get your files decrypted.

What can you do?

Now – what can you do in order to not fall into this trap? We have the following recommendations:

  • Never open attachments in emails where you don’t know the sender or the message doesn’t match what the sender would normally write!
  • Don’t download files from suspicious or non-trusted sources!
  • Create regular backups of your PC.
  • Updates for operating system and application are vitamins for your computer
  • Make sure you are using the latest version of Avira and make sure that the latest virus definition files are installed

If it’s too late and your files are already encrypted, do not pay the ransom. It is very unlikely that you’ll ever get your files back – even after paying up.

 

For additional precautions against ransomware take a look at our video and don’t forget: Avira Antivirus Pro already protects you against this ransomware.

Please accept personalization cookies to watch this video.
Explore cybersecurity topics

This post is also available in: German

Mikel Echevarria-Lizarraga
Mikel Echevarria-Lizarraga
Malware Analyst

Related articles

View all