“You’ve got a fax” emails contains a trojan

MX Lab just intercepted some samples of a new trojan attached to emails with the subject “You’ve got a fax”. The body of the message contains an embedded JPEG file and attached a ZIP file.

It looks like it is sent from the online service eFax (http://www.efax.com) but it’s not. The email address efax@efax.com is spoofed.

The ZIP file has the name eFax39106.zipand it contains the 40 kB large  file efax871291.exe – please note that the numbers may vary.

The following files are installed on the infected system:


The following registry key is created:


The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

At the time of writing, only 5 of the 43 AV engines at Virus Total did detect the trojan. The trojan is known as Gen:Trojan.Heur.FU.cC0@a4DqMHii (BitDefender), W32/Trojan3.BZM (F-Prot) or W32/Obfuscated.BQ!genr (Norman).

Virus Total permlink and MD5: f4dd8d5788d0f227bc51cd28b5892561.

4 Responses to “You’ve got a fax” emails contains a trojan

  1. Van Driver Jobs says:

    I have a quick question how do these guys spoof email addresses?

  2. Neil H says:

    I have seen this Trojan but in a slightly different format. The jpg didn’t come as an attachment. The attachments received were eFAX???DOC.zip file containing a eFAX_?????DOC.exe executable

    The registry entries mentioned above weren’t created/affected but there were a number of files in the temp directory such as m.21ac.tmp.exe. These could have been created by a different Trojan but were only notices after a user opened and run th attachment in the mail. Comodo detected these files in the temporary directory but didn’t detect any Trojans. MalwareBytes detected the Trojan (can’t remember which ones) and has so far seemed to remove them

%d bloggers like this: