Email notification of Vodafone with attached MMS message ZIP file contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “A new picture or video message [Vodafone MMS]”

The email is send from the spoofed address “”” on SMTP server level and appears in the mail client as “”. This campaign targets, according to our global logs and at this moment, only clients with a .nl TLD in the email address. So this trojan is sent to internet users in The Netherlands only.

The email has the following body:

The email text (mainly in Dutch – with a spelling error):

You have received a picture message from mobile phone number +31654328751

Via deze pagina bekijk je de door jou ontvangen MMS berichten online.
MMS berichten kunnen bestaan uit foto’s, video of geluid. Indien je toestel dit niet ondersteunt, kun je het MMS bericht online bekijken.

The file name of the ZIP and the compressed archive/executable contains randomly chosen characters. In one sample the file name was and the extracted file DH47SKK3.jpg.exe.

The trojan is known as TR/Spy.ZBot.EB.174, W32/Injector.ZNR!tr, Trojan-Downloader.Win32.Andromeda.pof, Trj/Sinowal.WWG, Win32.TrojDownloader.Andromeda.p.(kcloud).

At the time of writing, 8 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 859f7f96353db109651fdb35cbab2d0115969eae2f13f8605fadd29db9247e41.

18 thoughts on “Email notification of Vodafone with attached MMS message ZIP file contains trojan

  1. FYI, I am in Hungary with .hu email address and also received this, so distribution seems to have expanded beyond .nl TLD…

  2. Thanks for the updates. The virus outbreak towards .nl domains lasted for two days according to our global logs. We do not have any .se or .hu domains in our portfolio of clients but it is possible that the campaign is targeting systems in other countries and will continue to do so.

  3. I just got 3 of this type of email today to a .nl email address. The attachments show a symbol(8).zip file. The message in the email body contained the same information in dutch as above.

  4. There seems to be an uproar in these mails again. Just received a bunch of them and our Spamfilter (GFI) fails to mark them as spam (which seems silly to me, i wonder how they manage to authenticate SPF for example and have managed to avoid spamlists for so long) and Virusscanner (Norman) fails to detect them as a virus. Manually setting up rules to block these mails would be recommended especially if you have a lot of clients outside your direct control.
    Rather eye opening to what kind of apocalyptic useless tools a virusscanner can be when it comes to new hazards.

  5. Same here in .NL a whole bunch in one go.AVG did not pick them up. There is a zipfile with an executable in there. On my other computer it was intercepted by zonealarm when I extraced the exe to my HDD.

  6. I received one today in NL with 0621962622@vodafone Outlook didnt catch but Kaspersky did and put it in quarantine ( I guess) I wonder if it slows my LT down seems like it though.
    After a full scan Kasperksy reported no infections.

  7. Got one this morning in Italy from this address:

    Unfortunately I ran the file.

    A few seconds after the click the file icon on the desktop (where i copied the unzipped file) disappeared.

    I’m currently running the AV with Microsof Security Essential,

    Any suggestion? What should I do after that?


Comments are closed.