MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Online Shipping Prealert Advisory AWB 166133854” (number will vary).
The email is send from the spoofed address “firstname.lastname@example.org” and has the following body:
DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY
The following 1piece(s) have been sent via DHL Worldwide Express on Mon, 30 Jul 2012 08:24:41 +0100
via AWB# 380816459
If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
If you have a Web-enabled mail reader, click the link below to view shipment tracking
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Thank you for requesting DHL Worldwide Express for your delivery needs
The attached ZIP file has the name DHL_DELIVERY_MESSAGE_awb_746651409.zip and contains the 65 kB large file DHL-Nitofication-message.exe.
The trojan is known as W32/Kryptik.AB!tr, Mal/EncPk-AFM or a variant of Win32/Kryptik.AJCQ.
At the time of writing, only 3 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 4a829e7557d5166fc20c8bf1e750239f1a526d3d615475d35dcdeb9449924311.