Trojan present in emails “Notification of payment received” regarding a payment on Paypal


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Notification of payment received” and it informs the reader of a payment on Paypal.

The email is send from the spoofed address “service1@paypal.com” and has the following body:

You’ve Got Cash!

Hello,

This email confirms that you have received a payment

Receipt ID: 6582-5633-4547-8480

The number above is the buyer’s receipt ID for this transaction. Please retain it for your records so that you will be able to reference this transaction for customer service.

Payment details
Total amount: $538.00 USD
Currency: U.S. Dollars
Transaction ID: YWF75893702065128
Quantity: 1
Buyer: See attached file for full details

Have you lifted your withdrawal and receiving limits? Just log in to your PayPal account and click View Limits on the Account Overview page.
Sincerely,
PayPal

PayPal Email ID YC220

The attached ZIP file has the name Notification_payment_9850-9767-5140-2469.zip and contains the 72 kB large file Notification_payment_08_15_2012.exe.

At the time of writing, none of the 41 AV engines did detect the trojan at Virus Total so it is impossible to name this trojan.

Virus Total permalink and SHA256: 1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a.

11 Responses to Trojan present in emails “Notification of payment received” regarding a payment on Paypal

  1. Darek says:

    Today I recieved two e-mails like that, with .zip 40KB large. “Total amount: $162.00 USD, and the other “Total amount: $471.00 USD” . I didn’t open them. :)

  2. Drazen says:

    I gor similar email.I got $857 from RICO GALLAGHER

    It ends with : PayPal Email ID 5O267 and contains 29 kb .zip attachment named “Notification_payment…..”

    • Drazen says:

      EDIT : Avast didn’t recognized it as a virus… I still didn’t go to paypal and didn’t open attachment :D

  3. Amanda says:

    Today I recieved two e-mails like that,Fortunately,I still didn’t go to paypal and didn’t open attachment.

    • Eric says:

      I received two e-mails as described today as well. One for $872 and one for $43. Never used paypal so this seemed fishy to me from the get go.

  4. susanne says:

    is there no possibility to send the mail back – I tried and got notice “mail delivery failed” -it must have come from somewhere, no?

  5. Robert says:

    My mom received 2 of those emails, just a few days after opening her own Paypal account for the first time. The timing makes me wonder if she has a virus already, so that “somebody” learned that she just opened an account.

    In any case, her AV (whatever it is) didn’t recognize it, but my company’s corporate Av (Trend Micro) did.

  6. Pen says:

    I’ve just received such an email and tried to open the attachment but was not successful. So, does that meant that my computer is not infected?

  7. Alain says:

    You might be unable to run some programs. Check in the registry, and in HCU\microsoft\windows\current\version,Run, delete the Notification of payment and reboot your machine. But even so you can have to reinstall some softwares

Follow

Get every new post delivered to your Inbox.

Join 451 other followers

%d bloggers like this: