MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Delivery Notification Message 5SE1M4FDO07A6DKVL” – the combination of letters and numbers may change.
The email is send from the spoofed address “DHL Express <firstname.lastname@example.org>”and has the following body:
DHL Express Tracking Notification: Wed, 30 Nov 2011 01:16:39 +0200
Custom. Reference: TF2APLTEGGQAN 65290
P. Tracking Number: 4830615 NM7WEPS48CR5L
Pickup Date: Wed, 30 Nov 2011 01:16:39 +0200
Wed, 30 Nov 2011 01:16:39 +0200 – Processing complete
PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.
Please do not reply to this email. This is an automated application used only for sending proactive notifications
DHL Express International.
The attached ZIP file has the name Delivery–Tracking–Notification–DHL–EXPRESS–0ZZICVEE.zip and contains the 203 kB large file Delivery_Tracking_Notification-nov2011_DHL-EXPRESS-INTERNATIONAL.exe.
The trojan is known as W32/Trojan3.DBV (F-Prot), PWS-Zbot.gen.hb (McAfee), Troj/Bredo-MM (Sophos).
At the time of writing, only 6 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: 81cdcd438efe2bad7d4c91d53b64c3a0.