Email with subject “scan upon download” contains trojan


MX Lab started to intercept a few emails with the subject “scan upon download” coming from randomly spoofed email addresses.

The trojan is named Suspicious:W32/Malware!Gemini (F-Secure) or Mal/TibsPk-D (Sophos) and is able to create malicious executable files on the infected system.

The body of the email:

Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.

The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.

The following files are created:

%AppData%\av.exe
%AppData%\v7LsGuo3u6bku

A new process is created:

%AppData%\av.exe

Virus Total permlink and MD5: 99b165be9e35f83b811925ccbb9be36d.

2 thoughts on “Email with subject “scan upon download” contains trojan

  1. Yes they are the worst scammer I have ever encountered. They won’t stop even I sent several replies on stop emailing me still they are so aggressive and I am also receiving it in my mail! here is the latest email I received from them aside from I got from the mail.

    Dear Sir/Madam,

    I am writing on behalf of the Credit Department of EU Business Services Ltd.

    I have to remind you the due date for the invoice no. 73824, issued by EU Business Services Ltd for your first year of insertion of Events & Exhibition LLC into Europe Business Guide Ms Jennifer McCrory has ordered was the 01/03/2011.

    We are in the possession of a 3-year valid order placed on behalf of your company.

    Your debt to our company has reached EUR 1424,-, as late payment, administration and legal fees have been added to the initial amount of the invoice.
    A second legal letter will be sent towards your company next Monday, the 18th of April, increasing your debt to EUR 1924,-.

    Provided the payment will be made by the 15th of April, 2011 we accept the amount of EUR 1124, – in order to settle your account this year.

    If no payment is made available by the 15th of April, 2011 a payment less than this amount will not solve the issue we obviously have with your company in your honoring your financial obligations towards us.

    Thank you for your time and cooperation.

    IBAN: SK36 7500 0000 0040 1273 2549
    SWIFT CODE: CEKOSKBX
    A/c#: 4012732549

    Best regards,
    Ms Andreea
    Credit Department
    EU Business Services Ltd.
    P.O. Box 2021, 3500 GA Utrecht, The Netherlands
    Fax: 0031 205 248 107

  2. These are big scammers, please don’t pay any thing to them. Keep on ignoring them. Here is what i keep on getting from them.

    To Sir/Madam,

    We have to remind you the due date for the invoice no. 130757, issued for the insertion of xxxxx into the current edition of European Trade Register Mr Aaron Luther ordered was the 27/12/2012.

    Your debt to our company reached EUR 1924,- according to the second legal letter that was on the 6th of May, 2013 sent to your company by our Legal Counsellor. You have already received two legal letters via post and fax so far.

    Whether the payment of EUR 1424,- is effected by 13th of May, 2013 the latest, we will exempt the additional legal fee of EUR 500,- added yesterday to your debt.

    Considering we have yet not been able to settle the account and the legal procedures are to begin within the following two weeks, we once again remind you of this unsettled debt and the unpleasant consequences to follow.

    In case you manage to effect the payment in the following days, the transfer can still be made to the bank account stated on the legal letters. Find below:

    BENEFICIARY NAME: WBM LTD.
    Bank: Allianz Bank Bulgaria AD
    IBAN: BG37BUIN95611000303807
    SWIFT: BUINBGSF
    A/c#: BG37BUIN95611000303807

    Best regards,

    Credit Department

    Tel: 0031 208 080 789
    Fax: 0031 205 248 107

Comments are closed.