Please read: Immediate measures virus "Emotet"

Dear users,

Since May 16, 2019, we have noticed an increased spread of viruses, primarily the 'Emotet' virus, at TUK.

With this email, we would like to draw your attention to immediate measures, how to deal with the virus and other organizational measures.

The virus is infiltrated into the TUK infrastructure via e-mails with attached Office files. These files use macros that are executed by "activating content" and thus infect the system.

This virus primarily infects Windows systems and Windows user profiles. Once it is on a system, it extracts data and downloads further malware (e.g. cryptotrojans) and attempts to spread independently within the network. Due to the associated high propagation speed, it is a virus with a very high level of risk.

For this reason, even if there is reasonable suspicion that a system is infected, action must be taken quickly and the following measures must be implemented immediately:

• The infected system must be disconnected from the network immediately (LAN, WLAN and mobile network)
• The accounts of users (both RHRK account and any PLC accounts) of the system who were logged in to the system during and after the suspected infection must be blocked. To do this, please contact accounts(at)rhrk.uni-kl.de and your system administrator.

After these immediate measures, the following steps must be carried out in order to make a system virus-free:

• First, back up data that is only stored on this system to an external medium (USB stick; USB hard disk). This must not contain any other data and must initially be set aside unused for 24 hours (antivirus software is usually updated to the latest version during this time).
• The affected Windows systems must be completely reinstalled, as it is not possible to safely remove this virus or there are no published procedures for doing so.
• Centrally stored user profiles must be reset.
• As soon as the account is unlocked again after the aforementioned measures have been carried out, the user must immediately set a new password.
• The backed-up local data on the external medium may be tested for viruses after 24 hours at the earliest and then uploaded to the cleaned system. The entire data must be scanned on a test system using an up-to-date virus scanner (e.g. Sophos).

Important:

• You must never log onto a potentially infected system with an administration password as long as this system is still active on the network. Passwords are read by the virus and used for further distribution.
• Anyone who has worked on an infected system must also change all other passwords used/saved there (including private passwords).

Since 16.5.2019, RHRK has been implementing far-reaching technical measures to prevent further infections and detect infected systems:

• The e-mail SPAM filter has been "tightened" and configured in such a way that e-mails with Microsoft Office files attached and certain characteristics are rejected as SPAM. The sender is informed that the e-mail has not been accepted. This means that no e-mails are deleted, only returned to the sender. Unfortunately, this measure can currently lead to 'false positives', which means that even regular emails expected by users are rejected (this only affects emails with Office documents attached).
• Network traffic is checked centrally for certain characteristics in order to detect infected systems. If the RHRK identifies a system as probably infected, it is immediately disconnected from the network and, if known, the respective user is informed.
• Individual infected systems were made available to the RHRK by users to check the virus behavior, in particular to determine which malware was downloaded by 'emotet'. So far, two encryption Trojans have been found in this way.

Organizational measures:

• Do not open any Office documents if you are not sure that you are expecting the document. For documents that you are not sure about, please ask the sender or send them to antivirus(at)rhrk.uni-kl.de. RHRK will check the document for you.
• Every Windows system should have an active anti-virus scanner . The RHRK provides the Sophos software centrally, see https://www.rhrk.uni-kl.de/software/antivirus/
• In future, make greater use of the options provided centrally by RHRK for exchanging Office documents , such as
  • Storage space sharing
  • the cloud of the Rhineland-Palatinate Data Center Alliance "Seafile" or
  • version management
    
    This allows you to collaborate easily with colleagues outside the TUK and you do not have to send your Office documents by e-mail.
    

If you have any questions or need support on the topic of 'Emotet', please contact the RHRK (hotline(at)rhrk.uni-kl.de).

Further information on the 'Emotet' malware can be found on the homepage of the Federal Office for Information Security (BSI):
https://www.allianz-fuer-cybersicherheit.de/ACS/DE/Micro/E-Mailsicherheit/emotet.html

Further measures that can be taken by administrators to prevent infection are also described there.

If possible, the information provided there should be implemented in your area of responsibility.

Your RHRK team