Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Cyren First to Detect Significant Malware Attack

Over the course of this morning (Tuesday 11/4), CYREN has detected a significant malware attack; 80% of all the malware that passed through CYREN’s Virus Outbreak Detection engines contained this Trojan virus, distributed via email with an attached MSWord document. The .doc file contains obfuscated Visual Basic macro code, making it difficult to detect. The macro uses the XMLHttpRequest object to access and download a file. The file is then downloaded to the user’s “Temp” folder using the filename “DCITXEKBIRG.exe”:

“C:Documents and Settings<Username>Local SettingsTempDCITXEKBIRG.exe”

This malware is currently only detected by CYREN, and not yet by any other engine.

The emails containing the malicious content look like this:


The name in the signature changes between samples.

Sample filenames include:

  • de_yq452333q.doc
  • de_su4220170u.doc
  • de_yv7484683x.doc
  • de_fd9934707s.doc

Sample subjects include:

  • Remittance Advice November SU4220170U
  • Remittance Advice November FD9934707S

The malware is a Trojan downloader, capable of retrieving and installing a range of other malware once it has been activated by users who open the .doc file. While MSWord usually warns users who try to open files with macros, most users will likely accept the warning and proceed to allow the macros to run.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...