The email is send from the spoofed address “FedEx <no-reply@fedex.com>” and has the following body:

The attached ZIP file has the name FedEx-Shipment-Notification_GX3553U8-Jan2012.zip and contains the 200 kB large file FedEx-Shipment-Notification.exe.

The trojan is known as W32/Trojan3.DEC (F-Prot), Trojan-Spy:W32/Zbot.AVRN (F-Secure), Trojan-Dropper.Win32.Injector.clrk (Kaspersky), Trojan.Zbot (Sophos).

At the time of writing, only 11 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 28aba7221fe47882164fa45d9d63c58110b96b94d9b2291b692afaa7406c2e46.

Fwd: Vertel de fiscus
Fwd: Niet in het derde kwartaal van dit jaar!
Informeer de belastingsdienst!
Order
Order #98314389
Re: adviser id: 586452.
Re: profile consultation id: 90616
The answer id: 79858
Your request id: 52018110.
…

The email is send from different spoofed addresses and has the following body:

Hallo
U moet de rekening betalen voor het einde van de week.
Details in de bijgevoegde documenten…

The attached ZIP file has the name Report.zip and contains the 41 kB large file Report.Docx____**____.exe (the filename contains many underscores to hide the .exe file type extension at the end).

The trojan is known as W32/Yakes.B!tr (Fortinet), UDS:DangerousObject.Multi.Generic (Kaspersky), Posible_Worm32 (TheHacker).

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 5037236777f3d320482de732688243faa192ade3bcbbda57472407d7b1219cfe.

The email has the following body:

Good day,
We are to inform you that someone just sent you a gift from amazon.com,
below is the recipt kindly open and track the order. Wishing you a lovely year ahead.
Best regards,
Amazon.com

The malware  is approx. 221 kB large and listens to the name file4402_fdp.exe.

The trojan is known as Win32:Malware-gen (Avast), Trojan.Win32.VBKrypt.imoz (Kaspersky), Artemis!798A4ABB09D7 (McAfee), Mal/Generic-L (Sophos).

At the time of writing, 24 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 40bbaa3e93e50dbdc2b615ae383c3c36c0ab358c311a39efaf6c1246b71ef903.

The email is send from the spoofed address “Federal Deposit Insurance Company <convened@fdic.gov>” and has the following body:

Dear Business Customer,
We have important information about your bank.
Please refer to attached file to view information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
Tue, 9 Jan 2012 12:11:34 +0100

---

FDIC USA Questions for FDIC?
Contact Us
Federal Insurance Company
3501 Fairfax Drive
Arlington VA 22226
877-275-3342

The attached ZIP file has the name FDIC_Information_About-your-business-account-JAN2012-223588.zip and contains the *** kB large file FDIC_Information_About-your-business-account-Jan-2012.exe (numbers will change)

The trojan is known as PWS-Zbot.gen.ma (McAfee), Trj/Zbot.L (Panda), Mal/Zbot-EZ (Sophos) and UDS:DangerousObject.Multi.Generic (Kaspersky).

At the time of writing, only 6 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5:4d9e26f544458084261d715a44d13e03.

The email is send from the spoofed address “Account Support” and has the following body:

An Account Activity Notification you created has detected that the
following transaction has posted as of 12/19/11. The detail information
associated with the transaction is as follows:

Account: XXXXXX5693

Transaction Description: Incoming Wire Transfer
Amount: $087,390.45
Type: Credit
Reference Info: 1453328649OS
Availability: Immediate

PLEASE REFER TO ATTACHED FORM FOR MORE DETAILS

CONFIDENTIALITY NOTICE: This electronic mail transmission may contain
legally privileged, confidential information belonging to the sender. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution or taking any action based on the
contents of this electronic mail is strictly prohibited. If you have
received this electronic mail in error, please contact sender and delete
all copies.

The attached ZIP file has the name Account_Update_Notification_12192011-71714.zip and contains the 210 kB large file Account_Update_Notification_12192011.exe. The filenames will vary with each email.

The trojan is known as Trojan.Win32.Heur.Gen (ByteHero) or PWS-Zbot.gen.ma (McAfee).

At the time of writing, only 2 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09707085eb9812202ba72a1c6f6c5f4a.

Subjects will vary, the email is send from different spoofed addresses and here we have some samples:

Goeie morgen,

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.quattro-stagioni.it/docdown/Factuur.zip?idinvoice=1615847338768Firma=ontario583@csk-rijssen.nl

We zijn blij om samen te werken in de toekomst.

Het antwoord op uw vraag over het profiel op de website van 30.11.2011
hxxp://www.sanseverocommunity.com/docdown/Factuur.zip?idinvoice=27043890762Firma=info@bloemex.nl

The trojan is known as Artemis!6287782884ED (McAfee), Downloader.Dromedan (Symantec), Trojan.Win32.Yakes (Ikarus), Trojan.Generic.7001815 (BitDefender).

At the time of writing, 37 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 6287782884edba7ca26df03942798739.

The email is send from the spoofed address “Federal Deposit Insurance Company”and has the following body:

Dear Business Customer,
We have important information about your bank.
Please refer to attached file to view information.
This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDIC USA Questions for FDIC?
Contact Us
Federal Insurance Company
� 3501 Fairfax Drive
� Arlington VA 22226
� 877-275-3342

The attached ZIP file has the name FDIC_Information_About-your-business-account-07193.zip and contains the 205 kB large file FDIC – Important Information About your business account.exe.

The trojan is known as PWS-Zbot.gen.hb (McAfee), Trojan.Zbot (Symantec), Win32.Outbreak!IK (Emsisoft).

At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: c1e121392a4ee3a1822e944367bcd3e6.

MX Lab, http://www.mxlab.eu, intercepted some emails with the subject “How To Beat The S&P500 By 5,420 pc Or MORE?, Wed, 7 Dec 2011 15:26:29 +0100, MAAIGNCPV5″.

The subjects looks very familiar and could be compared to the latest trojan distribution campaigns that we have seen with the account information from Verizon Wireless or the Adobe Critical Upgrade notification. The subjects comes along with a date stamp and a randomly generated letter and number combination.

The email is send from the spoofed addresses, in our case from the domain vzw.com and has the following body:

Hello Dear!

As you probably know, there are over 7,000 stocks to choose from on just the U.S. exchanges alone…
But what you might NOT know is that about 97% of these stocks are PURE POISON for your portfolio, meaning that the odds are stacked AGAINST you before you even place a trade. Recently, one of the most respected trading experts in our community discovered a way to automatically FILTER OUT the ‘poison’ stocks and leave you with:
* The Top 3% that offer the most profit potential every time you trade.

Feel free refer to attach for more detailed information!

Thanks a lot!

The attached ZIP file has the name 97_percents_poison_stocks_overview_report-19560.zip and contains the 200 kB large file 97_percents_poison_stocks_overview_report.exe.

The trojan is known as TR/Spy.ZBot.oke (AntiVir), Trojan.Generic.KDV.461730 (BitDefender), Trojan-Spy.Agent!IK (Emsisoft), Trojan-Spy.Win32.Zbot.crnn (Kaspersky), PWS-Zbot.gen.hb (McAfee), Trojan.Zbot (Symantec).

At the time of writing, 17 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 67a24430319bb92f3113d752c84d4a87.

The email is send from the spoofed addresses and has the following body:

Hello!

Unfortunately we failed to deliver the postal package you have sent on the 2nd of December in time because the recipient’s address is erroneous.

Please print out the shipment label attached and collect the package at our office.

United States Postal Service

The attached ZIP file has the name USPS report.zip and contains the 45 kB large file USPS report.exe.

The trojan is known as Troj/DwnLdr-JNL (Sophos), Gen:Variant.Kazy.47555 (F-Secure), Trojan-Downloader.Win32.Pakes.it (Kaspersky), Gen:Variant.Kazy.47555 (BitDefender).

At the time of writing, only 18 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 371f5f724fbd95db62a217c4c2f5d1be.

Important Account Information from Verizon Wireless, ID: EKTC3TXRO1OL3
Important Information from Verizon Wireless, Tue, 6 Dec 2011 17:04:21 +0100
Important Account Information from Verizon Wireless, ID: 1SQHPMXWT4S10

The email is send from the spoofed address “Verizon Wrieless <notification@verizonwireless.com>”and has the following body:

Hello Dear!

Your current bill for your account is now available online in My Verizon

Total Balance Due: $1194.15

Keep in mind that payments and/or adjustments made to your account after your bill was generated will not be reflected in the amount shown above.

View all your recent bills in application materials.

Thank you for choosing Verizon Wireless.

The attached ZIP file has the name Verizon-Wireless-Account-StatusNotification_5037184.zip and contains the 200 kB large file Verizon-Wireless-Account-Status-Notification-Dec-2011.exe.

The trojan is known as PWS-Zbot.gen.hb (McAfee), PWS:Win32/Zbot.gen!Y (Microsoft), W32/Zbot.YFP (Norman).

This trojan is in fact quite the same as used in the Adobe Software Critical Upgrade Notification emails.

At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2cf8db09963b2077e42aeb1d644b160f.