Bredolab.X trojan hidden in tracking details from an internet store

MX Lab intercepted several messages with a new trojan variant attached in a ZIP archive. The email messages are from an alleged internet shop where an order has been placed. The tracking number of the postal parcel has been attached according to the sender.

In fact, the ZIP archive contains an executable that is identified as TrojanDownloader:Win32/Bredolab.X (Microsoft), W32/Bredolab!Generic (F-Prot), Trj/CI.A (Panda) or Mal/Bredo-A (Sophos).

Subjects could be (the numbers in the subject are random):

Thank you for settling the order No.90322972
Shipping confirmation for order _24204

The from address is spoofed and the body of the email is similar to:

Goodafternoon!

Thank you for shopping at our internet store!
We have successfully received your payment.

Your order has been shipped to your billing address.
You have ordered Toshiba Satellite U400D.

You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.

We hope you enjoy your order!
Momsview.com

Another body example:

Dear Customer!

Thank you for placing your order at our internet store.
Your order: Samsung R610, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Online store.
Cart.undftd.com

The extracted ZIP archive contains an D*****.exe, of approx 36 kB, where * stands for random numbers and letters. Bredolab.X is a trojan horse that downloads and executes a file from the Internet.

Virus Total permlink and MD5: 74d95402682f7e11513433193e1a2684.