Trojan present in emails “Notification of payment received” regarding a payment on Paypal
August 15, 2012 11 Comments
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Notification of payment received” and it informs the reader of a payment on Paypal.
The email is send from the spoofed address “service1@paypal.com” and has the following body:
You’ve Got Cash!
Hello,
This email confirms that you have received a payment
Receipt ID: 6582-5633-4547-8480
The number above is the buyer’s receipt ID for this transaction. Please retain it for your records so that you will be able to reference this transaction for customer service.
Payment details
Total amount: $538.00 USD
Currency: U.S. Dollars
Transaction ID: YWF75893702065128
Quantity: 1
Buyer: See attached file for full detailsHave you lifted your withdrawal and receiving limits? Just log in to your PayPal account and click View Limits on the Account Overview page.
Sincerely,
PayPalPayPal Email ID YC220
The attached ZIP file has the name Notification_payment_9850-9767-5140-2469.zip and contains the 72 kB large file Notification_payment_08_15_2012.exe.
At the time of writing, none of the 41 AV engines did detect the trojan at Virus Total so it is impossible to name this trojan.
Virus Total permalink and SHA256: 1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a.
Today I recieved two e-mails like that, with .zip 40KB large. “Total amount: $162.00 USD, and the other “Total amount: $471.00 USD” . I didn’t open them.
I gor similar email.I got $857 from RICO GALLAGHER
It ends with : PayPal Email ID 5O267 and contains 29 kb .zip attachment named “Notification_payment…..”
EDIT : Avast didn’t recognized it as a virus… I still didn’t go to paypal and didn’t open attachment
Today I recieved two e-mails like that,Fortunately,I still didn’t go to paypal and didn’t open attachment.
I received two e-mails as described today as well. One for $872 and one for $43. Never used paypal so this seemed fishy to me from the get go.
is there no possibility to send the mail back – I tried and got notice “mail delivery failed” -it must have come from somewhere, no?
It’s always a spoofed email address that they use to hide their tracks. Otherwise it would be too easy to find the sender.
I got one today. It appears to be from me to me. I found an address in the e-mail properties. nobody@cPanel.spreadgroup.org I forwarded it back.
My mom received 2 of those emails, just a few days after opening her own Paypal account for the first time. The timing makes me wonder if she has a virus already, so that “somebody” learned that she just opened an account.
In any case, her AV (whatever it is) didn’t recognize it, but my company’s corporate Av (Trend Micro) did.
I’ve just received such an email and tried to open the attachment but was not successful. So, does that meant that my computer is not infected?
You might be unable to run some programs. Check in the registry, and in HCU\microsoft\windows\current\version,Run, delete the Notification of payment and reboot your machine. But even so you can have to reinstall some softwares