MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Notification of payment received” and it informs the reader of a payment on Paypal.
The email is send from the spoofed address “firstname.lastname@example.org” and has the following body:
You’ve Got Cash!
This email confirms that you have received a payment
Receipt ID: 6582-5633-4547-8480
The number above is the buyer’s receipt ID for this transaction. Please retain it for your records so that you will be able to reference this transaction for customer service.
Total amount: $538.00 USD
Currency: U.S. Dollars
Transaction ID: YWF75893702065128
Buyer: See attached file for full details
Have you lifted your withdrawal and receiving limits? Just log in to your PayPal account and click View Limits on the Account Overview page.
PayPal Email ID YC220
The attached ZIP file has the name Notification_payment_9850-9767-5140-2469.zip and contains the 72 kB large file Notification_payment_08_15_2012.exe.
At the time of writing, none of the 41 AV engines did detect the trojan at Virus Total so it is impossible to name this trojan.
Virus Total permalink and SHA256: 1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a.