What is an email virus

Emotet: Trojan replies to received emails and steals attachments

It is particularly tricky when the sender of the e-mail is apparently someone to whom you recently wrote. Emotet collects existing email addresses and sends itself as an attachment or link in new messages. The malware can do this in various e-mail programs. In the Outlook e-mail program, Emotet can do even more: read out e-mail content and use it for the new e-mails it has sent itself. The method is called "Outlook Harvesting". The e-mails sent by Emotet can look like a reply to an e-mail that you recently sent to the person concerned.

Foregoing e-mail programs entirely and instead using the web interface of an e-mail provider, for example, does not automatically offer higher protection. Because viruses, Trojans and other malicious programs can also infect a computer through this.

Example of an email from Emotet

The BSI's computer emergency team shows an example of what an Emotet email can look like to the recipient. Bertram Müller and Antje Meier emailed back and forth about a vehicle parking space (red box below). Emotet takes this mail exchange as a basis and puts its own text about it, which looks like a new answer from Antje Meier to Bertram Müller.

The computer virus inserts a link in its text. But it does not have to lead to the address that is legible (i.e. in the example musterfirma.de ...). If you hold the mouse pointer over the link (without clicking it!) the e-mail program shows you that the click leads to a completely different address (namely here in the example on super-plus.pl ...).

As a recipient of such an email, you should therefore pay attention to two things:

  • Is the language correct? In this case the German is almost flawless. But recipient Bertram Müller is likely to wonder why Antje Meier is suddenly saying you.
  • Is the link shown correct? If you hold the mouse pointer on the link and don't click on it, your e-mail program shows you which Internet address is actually behind it. If something other than the legible one appears, something is probably wrong!

Because the e-mails sent by Emotet cannot be found in the outbox or sent folder, affected computer users do not initially notice anything about the malware. Other Trojans and malware that Emotet loads onto infected computers on their own often go unnoticed. They can then, for example, read access data, encrypt files or allow attackers full access to the infected computer. Because the programmers are constantly changing their malware, they can remain undetected by virus protection programs for the time being and make profound changes to infected systems. "Attempts to clean up are usually unsuccessful and run the risk of parts of the malware remaining on the system," warns the CERT-Bund. The only way left is to delete all data on the PC and to set up the system again. Then it's good to have one clean backup Has.

This is how you can protect yourself

  • Also check e-mails from senders you know critically. Is the language correct? Is it realistic? Before opening links or attachments: If in doubt, ask in one of the new email (not as a response to the received one!) Check with the alleged sender whether he actually sent you something.
  • Always keep your operating system, virus protection program and your other programs up to date. You should install new updates as soon as possible.
  • Back up your system regularly. If you have a backup, it is much easier to restore your PC to the way you know it.
  • Don't surf as an admin. Create a Windows user account without admin rights and use the Internet and e-mails only with this. In this way, no software can be installed without a query from the operating system.
  • Turn off macros in Office programs. Malicious software is often smuggled onto computers in this way. Unless you have to work with macros in your office software, switch them off completely.

What to do if you are concerned?

The BSI recommends the following:

  • Inform those around you about the infection, because your e-mail contacts are particularly at risk in this case.
  • Change all access data saved and entered on the affected systems (for example in the web browser).
  • The malware sometimes makes profound (security-relevant) changes to the infected system. If your computer is infected with malware such as Emotet, you should set up this computer again or have it set up again.