In the past we’ve seen many variants of the UPS email containing an attached trojan in a zip file known now as Win32/Kollah.RT, 32/Zbot.GXN!tr.spy or TrojanSpy:Win32/Zbot.gen!C according to the virus engine. Since yesterday we’ve seen a new variant and it is quite active and being distributed because MX Lab has intercepted quite some samples of this emails.
The emails hasn’t changed much, the subject is “Your Tracking # 877874077711” (where the number is dyanimc and changes often) and the content of the body:
Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.
The email has the zip file Invoice_UPS.zip attached with the Invoice_UPS.exe inside.
VirusTotal Permalink and MD5: 68ab2a6801bbc18e727d8ac093c8087f.