New trojan variant in emails with subject “DHL Delivery Notification Message”

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “DHL Delivery Notification Message  5SE1M4FDO07A6DKVL” – the combination of letters and numbers may change.

The email is send from the spoofed address “DHL Express <>”and has the following body:

DHL Express Tracking Notification: Wed, 30 Nov 2011 01:16:39 +0200

Custom. Reference: TF2APLTEGGQAN 65290
P. Tracking Number: 4830615 NM7WEPS48CR5L
Pickup Date: Wed, 30 Nov 2011 01:16:39 +0200
Service: SEA
Pieces: 2

Wed, 30 Nov 2011 01:16:39 +0200 – Processing complete

Shipment status may also be obtained from our Internet site in USA under or Globally under

Please do not reply to this email. This is an automated application used only for sending proactive notifications

DHL Express International.

The attached ZIP file has the name Delivery–Tracking–Notification–DHL–EXPRESS– and contains the 203 kB large file Delivery_Tracking_Notification-nov2011_DHL-EXPRESS-INTERNATIONAL.exe.

The trojan is known as W32/Trojan3.DBV (F-Prot), PWS-Zbot.gen.hb (McAfee), Troj/Bredo-MM (Sophos).

At the time of writing, only 6 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 81cdcd438efe2bad7d4c91d53b64c3a0.

11 thoughts on “New trojan variant in emails with subject “DHL Delivery Notification Message”

  1. MX,
    I did download the file as I was expecting something. When I realized what it was, too late.
    No noticable problems yet except for Windows did block something that I did not recognize. Windows reporting something on “Junta Exams Tang Bash Mare”. I don’t know it this is related.
    I just ran Malwarebytes and it did not find anything.
    Do you know how I can get rid of this Trojan ? Or tell me how I can find out if I have it ?

  2. Sent message to DHL… asked them to contact all other people on it but know it is just broadcasting throughout the Comcast system. Did get put in my JUNK folder but as soon as I saw the ZIP knew there was something fishy and ugly going on.

  3. Just got tricked by this – does anyone know how ‘DHL label’ virus works? Can it execute in a Mac/Linux environment? Does it use Word? or is this just Windows-based. I run Macs in an office environment that have MS Office for Mac on them…

  4. I suspected this one, the main clues being the top “Hello Dear” without my name and the fact that it was a zipped file rather than an actual message. The “customer reference” and “tracking numbers” do change, but upon entering the “tracking number” into the (real, supplied) DHL tracking URL it didn’t recognize it.

  5. L.Jeans
    I had no idea that this had been a problem. I am normally very aware of things like this. Can anyone advise me on what to do? Or how it can affect my computer??

  6. My antivir detected the trojan and then I googled the email adress. Thanks for the info on here. Stay safe.

  7. Thanks for the info. i suspected the relevant email and i searched for that. I did not download the attached.

  8. Let us do it by ourselves£¬will you? He lacks courage.He is my age.You may as well tell me the truth.The teacher got a little angry.How do you want your steak?How do you want your steak?A red tie will match that suit.What do you desire me to do? I can’t do this

  9. This is a still active virus just received it three times in my spam file. Fortunately I looked for information like this before I opened it. There is a similiar one floating around with FedEx information numbers that is the same thing too.

Comments are closed.