Email notification of Vodafone with attached MMS message ZIP file contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “A new picture or video message [Vodafone MMS]”

The email is send from the spoofed address “”” on SMTP server level and appears in the mail client as “”. This campaign targets, according to our global logs and at this moment, only clients with a .nl TLD in the email address. So this trojan is sent to internet users in The Netherlands only.

The email has the following body:

The email text (mainly in Dutch – with a spelling error):

You have received a picture message from mobile phone number +31654328751

Via deze pagina bekijk je de door jou ontvangen MMS berichten online.
MMS berichten kunnen bestaan uit foto’s, video of geluid. Indien je toestel dit niet ondersteunt, kun je het MMS bericht online bekijken.

The file name of the ZIP and the compressed archive/executable contains randomly chosen characters. In one sample the file name was and the extracted file DH47SKK3.jpg.exe.

The trojan is known as TR/Spy.ZBot.EB.174, W32/Injector.ZNR!tr, Trojan-Downloader.Win32.Andromeda.pof, Trj/Sinowal.WWG, Win32.TrojDownloader.Andromeda.p.(kcloud).

At the time of writing, 8 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 859f7f96353db109651fdb35cbab2d0115969eae2f13f8605fadd29db9247e41.

18 Responses to Email notification of Vodafone with attached MMS message ZIP file contains trojan

  1. Tom says:

    FYI, I am in Hungary with .hu email address and also received this, so distribution seems to have expanded beyond .nl TLD…

  2. sfeher says:

    I can confirm this as well. Now I’m getting two pieces every five second.

  3. mxlab says:

    Thanks for the updates. The virus outbreak towards .nl domains lasted for two days according to our global logs. We do not have any .se or .hu domains in our portfolio of clients but it is possible that the campaign is targeting systems in other countries and will continue to do so.

  4. From Romania, i got this email too, to my freemail address.

  5. david says:

    I just got 3 of this type of email today to a .nl email address. The attachments show a symbol(8).zip file. The message in the email body contained the same information in dutch as above.

  6. Kevin de Bie says:

    There seems to be an uproar in these mails again. Just received a bunch of them and our Spamfilter (GFI) fails to mark them as spam (which seems silly to me, i wonder how they manage to authenticate SPF for example and have managed to avoid spamlists for so long) and Virusscanner (Norman) fails to detect them as a virus. Manually setting up rules to block these mails would be recommended especially if you have a lot of clients outside your direct control.
    Rather eye opening to what kind of apocalyptic useless tools a virusscanner can be when it comes to new hazards.

  7. jeroen Krah says:

    Same here in .NL a whole bunch in one go.AVG did not pick them up. There is a zipfile with an executable in there. On my other computer it was intercepted by zonealarm when I extraced the exe to my HDD.

  8. sonia says:

    in Spain to

  9. hf says:

    Tooday In Czech too…
    And New botnet will be created so easy:D

  10. Dani says:

    Since I can eliminate it??

  11. Dani says:

    I just got one with as sender:

    my Avast antivirus detected directly. I am from the netherlands

    mms id9504163837 but due to my antivirus it got ***VIRUS*** infront.

  12. Kees says:

    Indeed today rec’d same msg as Dani above.
    By Avast straight away in the refused mail box with ***VIRUS*** added infront.

  13. Fred says:

    I received one today in NL with 0621962622@vodafone Outlook didnt catch but Kaspersky did and put it in quarantine ( I guess) I wonder if it slows my LT down seems like it though.
    After a full scan Kasperksy reported no infections.

  14. Annoyed says:

    Have received 10+ in last week to our work account in UK!

  15. Tommaso says:

    Got one this morning in Italy from this address:

    Unfortunately I ran the file.

    A few seconds after the click the file icon on the desktop (where i copied the unzipped file) disappeared.

    I’m currently running the AV with Microsof Security Essential,

    Any suggestion? What should I do after that?


%d bloggers like this: