New trojan variant for DHL tracking information emails


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Re: DHL Express Tracking Notification,  IDQR–469851501622”

The email is send from the spoofed address “DHL International <notice@dhl.it>” and has the following body:

DHL Express Shipment Notification:

Custom Reference : 0865–V6A4V9D6Z6NDZ
Tracking Number : L773UA–55217730
Pickup Date : Tue, 29 May 2012 21:24:35 +0100
Service : SEA
Pieces : 1

Tue, 29 May 2012 21:24:35 +0100 : Processing complete
PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.

Shipment status may also be obtained from our Internet site in USA under http://track.dhl-usa.com or Globally under http://www.dhl.com/track

Please do not reply to this email. This is an automated application used only for sending proactive notifications

Thanks in advance,
DHL Express International

Copyright
The copyright in this publication is owned by DHL International GmbH.

DHL is Part of the World’s Leading Logistics Group, Deutsche Post DHL DHL offers integrated services and tailored, customer-focused solutions for managing and transporting letters, goods and information.
DHL: Four Divisions � One Brand � One Provider � All Your Solutions
DHL comprises four divisions. These segments operate under the control of their own divisional headquarters. The Group management functions are performed by the Corporate Centre.

We have centralised the internal services which support the entire Group, including Finance Operations, IT and Procurement. This consolidation enables us to increase the flexibility of our business, improve service quality and leverage economies of scale and cost benefits.

The attached ZIP file has the name DHL-Express-Delivery-Notification-Details_05-2012-P7UEM841.zip and contains the 20 kB large file DHL-Express-Delivery-Notification.exe.

The trojan is known as Gen:Variant.Kazy.72627, BackDoor.Bulknet.546, Trojan.Win32.Jorik.Totem.ij.

At the time of writing, only 6 of the 42 engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 45eedc778817807ab658a1c1984757afe43d67d02ae287832f9b9d10c0740676.