MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “ADP TotalSource Automated Payroll Invoice Notification”.
The email is send from the spoofed address “firstname.lastname@example.org” and has the following body:
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Week No: 08
Payroll No: 1
Please open attached file to view and check following payrol
This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.
© 2007 Automatic Data Processing, Inc.
The attached ZIP file has the name ADP-TotalSource-Payroll-Invoice-B34519A60357 and contains the 115 kB large file ADP TotalSource Payroll Invoice ID-EF2342AC2357-AA-433**NUMBERS***56.pdf.exe.
The trojan is known as Trojan.Generic.KD.884788, TR/Rogue.KD.884788.1, RDN/PWS-Zbot.ate!a, Heuristic.BehavesLike.Win32.ModifiedUPX.C, TROJ_GEN.F47V0304, Mal/Generic-S.
At the time of writing, 12 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: bf17346569f839f6b0a69408416e7dd9c07e76a6940e4b47eae9cdfae3922ba3.