MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Acrobat: Upgrade Needed”.
The email is send from the spoofed address “Adobe Update Notification <firstname.lastname@example.org>” and has the following body:
Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader
Advanced features include:
– Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange
To upgrade and enhance your work productivity today please open attached file.
Copyright 2011 Adobe Systems Incorporated. All rights reserved.
Adobe Systems Incorporated,
Wed, 30 Nov 2011 16:45:33 +0100
The attached ZIP file has the name Adobe-Software-Update-VUREU328263.zip and contains the 203 kB large file AdobeSoftwareUpdate-20111130.exe. Note that the filenames can be different.
The trojan is known as Trojan.Generic.KDV.442070 (BitDefender), W32/Zbot.DD.gen!Eldorado (F-Prot), PWS-Zbot.gen.oe (McAfee), Troj/Kirje-B (Sophos)
At the time of writing, only 22 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: 22728244953af82281b37265060384c4.