MX Lab detected a new malware spam outbreak with the subject “Your order has been paid! Parcel NR:58588-691″regarding a payment towards Amazon. The malware is sent from a spoofed email address in the form of Amazon Manager Vaughn Montes <email@example.com>.
The trojan is known as Trojan.Generic.Bredolab.3232 (ClamAV), W32/VBcrypt.E.gen!Eldorado (Eldorado), W32/VBcrypt.E.gen!Eldorado (F-Prot) or Heuristic.BehavesLike.Win32.Downloader.H (McAfee-GW-Edition).
The body of the email:
Thank you for shopping at Amazon.com!
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered ” Sony Bravia S1452 ”
You can find your tracking number in attached to the e-mail document.
Print the postal label to get your package.
We hope you enjoy your order!
Vaughn Montes, Amazon
The email has the ZIP archive Amazon_label_N-322-552.zip attached and contains the 36 kB large file Amazon_label_N-322-552.DOC.exe.
The following files are created:
C:\Documents and Settings\User\Local Settings\Temp\1.tmp
An HTTP request will be done to:
At the time of writing, only 5 of the 41 AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: b31628758d2557315403f59cc65bc33d.