MX Lab, http://www.mxlab.eu, is intercepting different type of emails with an attached Gen:Variant.Strictor.49180.
This email is send from the spoofed address “email@example.com” while the SMTP from is “firstname.lastname@example.org”, comes with the subject “Invoice #3164342″ and has the following body:
Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to email@example.com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc.
1 ADP Boulevard
╘ Automatic Data Processing, Inc. (ADP╝) . All rights reserved.
The attached ZIP file has the name Invoice_ADP_3164342.zip and contains the 19 kB large file Invoice_ADP_01142014.exe.
Fiserv attched document:
This email is send from the spoofed address “Fiserv <Debra_Drake@fiserv.com>” while the SMTP from is “firstname.lastname@example.org”, comes with the subject “FW: Scanned Document Attached” and has the following body:
Dear Business Associate:
Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center – a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.
You have an important message from Debra_Drake@fiserv.com. To see your message, use the following password to decrypt attached file: JkSIbsJPPai
If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.
This message will be available until Tuesday Jan 15, 2014 at 17:50:43
If you have any questions, please contact your Fiserv representative.
Your Associates at Fiserv
Additional information about Fiserv Secure E-mail is available by
entering http://www.fiserv.com/secureemail/ into your Web browser and
The attached ZIP file has the name FSEMC.Debra_Drake.zip and contains the 19 kB large file FSEMC_01142014.exe.
The trojan is known as Gen:Variant.Strictor.49180 by most of the virus engines but also as PWSZbot-FMO!5B171D420618, Heuristic.LooksLike.Win32.Suspicious.J!81, TrojanDownloader:Win32/Upatre.A or PE:Malware.FakePDF@CV!1.9C28.
At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink and Malwr permalink for more detailed information.