Dutch emails with Report.zip attached contains trojan
January 20, 2012 1 Comment
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the following possible subjects:
Fwd: Vertel de fiscus
Fwd: Niet in het derde kwartaal van dit jaar!
Informeer de belastingsdienst!
Order
Order #98314389
Re: adviser id: 586452.
Re: profile consultation id: 90616
The answer id: 79858
Your request id: 52018110.
…
The email is send from different spoofed addresses and has the following body:
Hallo
U moet de rekening betalen voor het einde van de week.
Details in de bijgevoegde documenten…
The attached ZIP file has the name Report.zip and contains the 41 kB large file Report.Docx____**____.exe (the filename contains many underscores to hide the .exe file type extension at the end).
The trojan is known as W32/Yakes.B!tr (Fortinet), UDS:DangerousObject.Multi.Generic (Kaspersky), Posible_Worm32 (TheHacker).
At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 5037236777f3d320482de732688243faa192ade3bcbbda57472407d7b1219cfe.



