Emails with important account information from Verizon Wireless contain trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with subjects similar like:

Important Account Information from Verizon Wireless, ID: EKTC3TXRO1OL3
Important Information from Verizon Wireless, Tue, 6 Dec 2011 17:04:21 +0100
Important Account Information from Verizon Wireless, ID: 1SQHPMXWT4S10

The email is send from the spoofed address “Verizon Wrieless <notification@verizonwireless.com>”and has the following body:

Hello Dear!

Your current bill for your account is now available online in My Verizon

Total Balance Due: $1194.15

Keep in mind that payments and/or adjustments made to your account after your bill was generated will not be reflected in the amount shown above.

View all your recent bills in application materials.

Thank you for choosing Verizon Wireless.

The attached ZIP file has the name Verizon-Wireless-Account-StatusNotification_5037184.zip and contains the 200 kB large file Verizon-Wireless-Account-Status-Notification-Dec-2011.exe.

The trojan is known as PWS-Zbot.gen.hb (McAfee), PWS:Win32/Zbot.gen!Y (Microsoft), W32/Zbot.YFP (Norman).

This trojan is in fact quite the same as used in the Adobe Software Critical Upgrade Notification emails.

At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2cf8db09963b2077e42aeb1d644b160f.