MX Lab started to intercept a few emails with the subject “scan upon download” coming from randomly spoofed email addresses.
The trojan is named Suspicious:W32/Malware!Gemini (F-Secure) or Mal/TibsPk-D (Sophos) and is able to create malicious executable files on the infected system.
The body of the email:
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.
The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.
The following files are created:
A new process is created:
Virus Total permlink and MD5: 99b165be9e35f83b811925ccbb9be36d.