MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FedEx, Shipment Notification”.
The email is send from the spoofed address “FedEx <firstname.lastname@example.org>” and has the following body:
The attached ZIP file has the name FedEx-Shipment-Notification_GX3553U8-Jan2012.zip and contains the 200 kB large file FedEx-Shipment-Notification.exe.
The trojan is known as W32/Trojan3.DEC (F-Prot), Trojan-Spy:W32/Zbot.AVRN (F-Secure), Trojan-Dropper.Win32.Injector.clrk (Kaspersky), Trojan.Zbot (Sophos).
At the time of writing, only 11 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 28aba7221fe47882164fa45d9d63c58110b96b94d9b2291b692afaa7406c2e46.