Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mitigating W2KM_BARTALEX using Trend Micro Products

    • Updated:
    • 15 Sep 2015
    • Product/Version:
    • Deep Discovery 3.0
    • Deep Discovery 3.1
    • Deep Discovery 3.2
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 11.0
    • Platform:
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2008 Enterprise 64-bit
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows XP Home
    • Windows XP Professional
Summary

BARTALEX is a macro script embedded in a Microsoft document file. It usually arrives as an attachment on spam mails. User has to open the attachment and enable execution of macro in Microsoft Office in order for the macro script to execute. It uses pure social engineering trick wherein it appears to be as a mail about a fax, wire transfer, parcel, invoice or billing statements. No exploit was used. 

 

empty window

Details
Public
 
Make sure to always use the latest pattern available to detect the old and new variants of BARTALEX.

Solution Map

Major ProductsVersionsVirus PatternBehavior MonitoringEmail ReputationAntiSpam PatternWeb ReputationDDI Pattern
OfficeScan10.6 and aboveUpdate Pattern via web consoleUpdate Pattern via web consoleN/AN/AEnable Web Reputation Service*N/A
Deep Security8.0 and aboveN/AN/AN/AN/A
ScanMailSMEX 10 and laterN/AEnable Email Reputation Service*Update Pattern via web consoleN/A
SMD 5 and laterN/AN/AN/A
InterScan MessagingIMSVA 8.0 and aboveN/AEnable Email Reputation Service*N/A
InterScan WebIWSVA 6.0 and laterN/AN/AN/AN/A
Deep DiscoveryDDI 3.0 and laterN/AN/AN/AUpdate Pattern via web console
 
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

User Education 

  • Ensure that the Trend Micro Products are updated.
  • Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from personal contacts, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
  • Double check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you. Try to go to your recently sent items to double check their claim. Spam messages can also use other social engineering lures to persuade users to open the message.
  • Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is more safe to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link, or use free services such as Trend Micro Site Safety Center.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task.
  • Be aware of social engineering attacks to be safe.

Configuration Best Practices

The policies above are usually placed after the following rules:

  • Spam rule
  • Antivirus rule
  • Client’s other customize rule (optional)

The objective is to reject all known spam mails and known malwares and at the same time, get a high confidence sample file that will be submitted to support for further analysis.

Sample Collection

  • To ensure that new variants of this malware family is detected, we need to continue collecting samples so it can be submitted for analysis and added to the patterns and solutions if needed.
  • This is best done by filtering and blocking email attachments using Trend Micro's Messaging products. You may refer to this link for information on typical file types that carries the said malware.

The link above you should give you an idea on what type of sample files can be collected during an outbreak.

  • When collecting a sample spam mail with possible BARTALEX involvement, please make sure to send the actual or original spam mail and not the forwarded spam.
  • Collect and submit spam and all quarantined samples for sourcing and analysis.

For new cases you may upload 1 ZIP or RAR file (up to 50 MB) that is protected with the password "virus" to this link.

FTP will be helpful for other samples. ZIP or RAR files that is protected with the password "virus"

SMEX and WFBS-Messaging Security Agent Quarantined mails

Please resend all quarantined mails from MSA or SMEX server side to specific recipient for sourcing. To resend a message that is displayed in the Quarantine Log, place a checkmark in the box corresponding to that message’s row in the log and then click Resend.

Spam from client side can be pulled out from either spam folder or junkmail.folders.

IMSVA Quarantined mails

For IMSVA please download the files from the IMSVA console > Mail Areas & Queues > Query > Quarantine tab. Display logs then click specific emails to download copies.

  • If Trend Micro product, ATTK scan and other Trend Micro anti-malware tools did not find or detect any malwares, do the procedure described in the link to collect suspicious samples and system information.
  • Normal filtering configuration should be reverted once the alert has passed

 Related blog entries

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Update
Solution Id:
1111356
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.