MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:
DHL Express Notification for shipment for 26 Oct 2011 Z167436340.30585700 1319666581
Notification for shipment for 26 Oct 2011 Z175851430.39624200 1319669963
The email is send from the spoofed address “DHL Express International Support <firstname.lastname@example.org>” and has the following body:
DHL Express Notification for shipment for 26 Oct 2011.
AWB Number: 0193112309848
Pickup Date: 2011-10-26 17:21:00
26 Oct 11 08:15 AM – Clearance processing complete
PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.
Please do not reply to this email. This is an automated application used only for sending proactive notifications
DHL is Part of the World’s Leading Logistics Group, Deutsche Post DHL DHL offers integrated services and tailored, customer-focused solutions for managing and transporting letters, goods and information. DHL: Four Divisions – One Brand – One Provider – All Your Solutions DHL comprises four divisions. These segments operate under the control of their own divisional headquarters. The Group management functions are performed by the Corporate Center. We have centralized the internal services which support the entire Group, including Finance Operations, IT and Procurement. This consolidation enables us to increase the flexibility of our business, improve service quality and leverage economies of scale and cost benefits. Customer Service Center at http://www.dhl.com
The attached ZIP file has the name DHL_EXPRESS_Notification_Message_NR-167436340.30585700 131966658120.zip and contains the 188 kB large file DHL-Delivery-Notification-Message-102611.exe.
The trojan is known as PWS-Zbot.gen.cc (McAfee), Win-Trojan/Obfuscated.Gen (AhnLab)
At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: a6e25ec56d926d98c9afd9101027b50d.