New wave of Emotet Trojans

Jewelry graphics
A new wave of Emotet Trojans is currently in circulation. The existing communication will continue. The attacker disguises himself as a supposedly known communication partner. Due to several incidents, increased caution is required.

What is different about this wave?

In contrast to the last known wave, there are no DOC files in the attachment this time. For this purpose, a link to a DOC document is included in the emails.

If you accidentally open this link, the DOC file will be loaded and an attempt will be made to execute the malicious code it contains. As a result, the malware is introduced into the system and executed.

How to protect yourself

Be suspicious of supposedly known senders. If you notice a difference between the sender's name displayed and the sender's address, this is a clear indication of a spam email. Always be careful when attaching files to emails (especially Office documents). If in doubt, contact the sender by phone.

Screenshots of Emotet emails

ScreenshotScreenshotNote: In the case of internal communication between two Exchange users at the TU, the email address is not shown as in the screenshot above, only the sender name. In this case you can accept the authenticity of the communication partner.

Screenshot Emotet Trojan: Open DOC file

Better safe than sorry

If you are not sure whether the email is credible, you should verify its origin (better safe than sorry!:

  • Ask the sender of the email (preferably by phone).
  • Ask a colleague.
  • Ask our IT service desk.
    • Email: servicedeskattu-freiberg [dot] de
    • Telephone: 1818

Disable macros

To prevent the malicious macros from running automatically on your system, you may have the option to disable macros. For instructions on how to enable or disable macros in Office files, see Microsoft Office Pages Support.
Be especially careful if you don't get security information for some reason.

What you can do, if you are concerned

Most likely, all stored or entered access data for email accounts (in this case your central login) and other online services (FTP access, online shops, etc.) are at risk on a system infected with Emotet.

  • Remove the infected device from the data network immediately.
  • Inform your responsible (local) administrator as soon as possible.
  • Make sure that you change your access data stored on the affected device.
  • Let your potential contacts know that they should be careful with your emails as they may not belong to you.

Disinfection of a computer after a virus attack

The system itself may have already been undermined, so the existing protection programs no longer work. If you have access to software like Disinfec't, you can run it on your system.

Set up the system again

If in doubt, you cannot avoid doing a full system recovery of your system because irreparable damage may have occurred.

Additional information