MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Scan from a Xerox WorkCentre P9275821”.
The email is send from the spoofed address and has the following body:
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACD7299422.
The attachedZIP file has the name Scanned_Documents.zip and contains the 44 kB large file Scanned_Documents.DOC.exe.
The trojan is known as W32/Refroso.AGEA!tr (FortiNet), Trojan:W32/Agent.DQBL (F-Secure), Troj/Bredo-ER (Sophos), Win32/LockScreen.QX (NOD32)
At the time of writing, only 13 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permlink and MD5: eb7753949819409a8b13d650fc473b53.