MX Lab, http://www.mxlab.eu, is intercepting messages regarding a debt to the Bill Me Later service, a company that is acquired by eBay in 2008 and is now part of Paypal, that contains a security threath. These messages are sent with various subjects like:
Immediately pay off the debt! #id81490
We will file a charge against you. #id80119
You must immediately pay off the debt! #id40754
The email is send from the spoofed address “Ebay <firstname.lastname@example.org>” and has the following body (a single image email):
The includeed URL will lead you to a host where a malicious payload is present. The file INVOICE_FORM.zip will be downloaded that contains the compressed file INVOICE_FORM.exe.
The trojan is known as Suspect.Trojan.Generic.FD-4, Trojan.Win32.Tobfy!IK, Trojan.Win32.Tobfy or HEUR:Trojan.Win32.Generic.
At the time of writing, 6 of the 42 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: bd5e2868987d59cd24ed748cbcc489396eb782ddbf6e207395b0d80c5521b017.