I would have thought Kaspersky with dodgy Russian heritage would be quicker off the mark
Yes, Kaspersky surprised me too ! Normally they're first off the post, well ahead of anyone else (or a close second to F-Secure who have an excellent Scandinavian team).
What kind of attachments / files are we talking about? Dodgy PDFs? Or something that can be filtered by an email server e.g. .exe or .bin or something?
Compressed files (rar format, which in itself is fairly unusual to see, but looks like a new way to get past people who just scan zip format). Inside the compressed file is an exe. The exe installed a trojan virus that is a keylogger.
I'm guessing the rar must be self-expanding because not many people will have rar extractors installed (unless newer versions of Windows natively support rar ? its been a while since I tried).
One of the files I looked at leaves the following traces of its presence in the registry....
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\IP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Options
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\RTF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Text
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Word6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Applets\Wordpad\Write
The background process makes lookups to domain names that start with :
stahltech
jotoocourt
test.quimall
okmax
(I have omitted the domain suffixes)