[Updated] A macro virus is attacking the Polish customers Bank PKO BP

Polish users banking again targeted by cyber criminals. This time the Internet scammers sent their malicious activities m.in in bank customers PKO PB and other random people. Under the guise of important information on new methods of control carried out electronic transactions, send to their victims of malicious document DOC, that contains a macro virus.


Malicious emails not only spread by unknown assailants of indeterminate nationality-as indicated by the broken English, their content is so poorly constructed that the only incomprehensible desire to open an annex can persuade the potential victim to open that file.



Possible topics News (also the original):


1. Subject: PKO Bank-for transactions over 10.000 USD will control the tax inspection
2. Subject: PKO BP transactions will control the tax inspection
3. Subject: all transactions PKO Bank located under the control of the tax urzada
4. Subject: Pko Polish Bank will monitor all transactions



The original content of the message:



18.06.2015 CFO Bank iPKO Laura Majko came up with the conclusion that from the beginning of March of the current year, all transfers are carried out under the supervision of the tax office accomodation and the main Bank of the European Union in Brussels.



It will be introduced the system limits and automatic control, in some cases, the full audit.

The details of this reportage, you can read the attached = lik.




The annex contains a DOC file 917_46348. doc with malicious code VBA, that when you run the macro command executes-gets the network additional malicious scripts and malware.






"The inclusion of the contents of the" initiates the start of the whole chain of unspecified and baneful consequences of events. In the first place, taken from the Web is a Trojan horse with a backdoor, which opens the hacker backdoors on your system. Then the virus copies itself to the location C:\Users\user_name\AppData\Local\Temp\conneSvr.exe, and periodically communicates with a server in the domain fooofoooofooo.com. It is a serious threat for the victim-might cause that the hacker will be able to remotely connect to the infected computer and steal confidential information from it (for example, logins and passwords) stored on your hard disk. What's more, in some cases, an attacker can redirect the user to different advertising pages or pages with malicious or phishingową content and poorly protected computer can pass under the control of the Internet criminals.

  • At the time of the writing of this article only one antivirus program was able to detect malware- analysis of VT

So it looks like that macro viruses are experiencing its second youth. Fortunately, Microsoft Office 2010 version decided to take matters into their own hands and took care of our security by disabling the automatically execute macros when you open the document. This function should always be turned off, even in private companies and public institutions, which as we know, very often translate into convenience and bad habits of workers over computer security.

Update 19.06.2015-Answer Bank PKO BP on our article:

I would point out that the threat of infection on your computer affects all recipients of the message, not only to our customers. To infect your devices from which users connect to the Internet, there is most often a result of opening attachments to fake emails, in which hackers pretend to be financial institutions or companies providing telecommunications services and inform about the need for an alleged payment-in payment for an invoice for telephone, pending shipment, courier service or inform you of important changes. Using the recipient's trust to a known commonly the company and his concern about the resulting from the need to regulate the fees, or the need to familiarize yourself with important information criminals lead the client to open the attachment.


In reality, however, open the attachment infects the computer on which the attachment is opened, a dangerous virus, to steal confidential customer data (login data to the website).

Therefore, always be warned to users under any circumstances do not open suspicious messages, attachments, do not respond to these messages and do not share with anyone your personal information, login and account passwords, codes, data payment card – a PIN and CVV code. We advise you to signing up for payment, always make sure that the connection is encrypted by checking the address of the page in the browser window begins with https://and that in the bar at the bottom or at the top of the screen (depending on the browser) appears an icon with a closed padlock – its presence confirms that the page is protected by a security certificate, and the connection is encrypted. When you click on the padlock must be validated and the timeliness of the certificate. It should be noted that only the combination of the correct address and the correct content of the certificate guarantees that the site is legal and it can be safe to log in.

Referring to the case of the last messages sent by scammers I would point out that the mentioned bank iPKO does not exist. Valid addresses online banking PKO Bank Polish, for example: https://www.ipko.pl/, https://www.ipko.pl/nowe/, https://www.ipkobiznes.pl/kbi, https://inteligo.pl/secure.

We respond immediately to any signal about shipping fake emails and each case is reported to the law enforcement and international certs, which deal with the fight against cases of breaches of computer security, as also prevention of this type of fraud in the future.

The safety of our customers is a priority for us, because in many places we have published information about the principles of safe use of the site:



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.