Trojan attached to “Scan from a Xerox WorkCentre” messages


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Scan from a Xerox WorkCentre  P9275821”.

The email is send from the spoofed address and has the following body:

Good morning,
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACD7299422.

The attachedZIP file has the name Scanned_Documents.zip and contains the 44 kB large file Scanned_Documents.DOC.exe.

The trojan is known as W32/Refroso.AGEA!tr (FortiNet), Trojan:W32/Agent.DQBL (F-Secure), Troj/Bredo-ER (Sophos), Win32/LockScreen.QX (NOD32)

At the time of writing, only 13 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: eb7753949819409a8b13d650fc473b53.