MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign, similar like the previous “DHL Online Shipping Prealert Advisory” we started intercepting yesterday, by email with the subject “DHL Online Advisory AWB 830533211”.
The email is send from the spoofed address “firstname.lastname@example.org” and has the following body:
DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY
The following 1piece(s) have been sent via DHL Worldwide Express on Tue, 31 Jul 2012 14:48:05 +0200
via AWB# 405814829
If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
If you have a Web-enabled mail reader, click the link below to view shipment tracking
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Thank you for requesting DHL Worldwide Express for your delivery needs
The attached ZIP file has the name DHL-Online-Notification_awb134201201.zip and contains the 56 kB large file DHL-Online-Notification.exe.
The trojan is known as W32/Trojan3.DXB, W32/Kryptik.AB!tr, PWS-Zbot.gen.yl or Mal/Katusha-F.
At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 198553f2ebd76b921309a85f77266c40d9c5445bc1058ea12ef624195b193a9d.