DHL Online Shipping Prealert Advisory emails contains trojan variant


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Online Shipping Prealert Advisory AWB 166133854” (number will vary).

The email is send from the spoofed address “webadm@dhl.com” and has the following body:

DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY

The following 1piece(s) have been sent via DHL Worldwide Express on Mon, 30 Jul 2012 08:24:41 +0100
via AWB# 380816459

If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
http://www.dhl.co.uk

If you have a Web-enabled mail reader, click the link below to view shipment tracking
details:

http://www.dhl.co.uk/content/gb/en/express/tracking.shtml?brand=DHL&AWB=670068346

SHIPMENT CONTENTS:
Documents

SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE

ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE

Thank you for requesting DHL Worldwide Express for your delivery needs

The attached ZIP file has the name DHL_DELIVERY_MESSAGE_awb_746651409.zip and contains the 65 kB large file DHL-Nitofication-message.exe.

The trojan is known as W32/Kryptik.AB!tr, Mal/EncPk-AFM or a variant of Win32/Kryptik.AJCQ.

At the time of writing, only 3 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 4a829e7557d5166fc20c8bf1e750239f1a526d3d615475d35dcdeb9449924311.