DHL delivery error with malicious ZIP attached
October 4, 2011 2 Comments
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject like:
ADDRESS NOT FOUND N# : trk-id: 468009980.87926300 1317639396
EXPRESS parsel report N# trk-id: 873383920.06837600 1317634295
REPORT REF N# trk-id: 673062160.28087200 1317632952
Parcel N## : trk-id: 339705150.38276500
Note that the numbers in the subject can change randomly.
The email is send from the spoofed address “DHL Global Mail GROUPS” with real SMTP From addresses like:
and has the following body:
Your package has been returned to the DHL office. The reason of the return is – Error in the delivery address
Please refer to attached file for additional details
Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the office in order to receive the packages.
Thank you for attention.
The attached ZIP file has the name report-undeliver-778643455.zip and contains the 177 kB large file report-undeliver-778643455. Again, numbers in the filename can vary.
The trojan is known as Trojan.Generic.KD.370448 (BitDefender), Trojan-Spy.Win32.Zbot.chef (Kaspersky), Troj/Zbot-BAW (Sophos), PWS:Win32/Zbot.gen!Y (Microsoft).
At the time of writing, only 23 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5:7d0c0b1a6c9fc433e62448e4255927fd.