Emails “ADP TotalSource Automated Payroll Invoice Notification” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “ADP TotalSource Automated Payroll Invoice Notification”.

The email is send from the spoofed address “totalsourceautomation@adp.com” and has the following body:

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.

Year: 13
Week No: 08
Payroll No: 1

Please open attached file to view and check following payrol

This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.
© 2007 Automatic Data Processing, Inc.

The attached ZIP file has the name ADP-TotalSource-Payroll-Invoice-B34519A60357 and contains the 115 kB large file ADP TotalSource Payroll Invoice ID-EF2342AC2357-AA-433**NUMBERS***56.pdf.exe.

The trojan is known as Trojan.Generic.KD.884788, TR/Rogue.KD.884788.1, RDN/PWS-Zbot.ate!a, Heuristic.BehavesLike.Win32.ModifiedUPX.C, TROJ_GEN.F47V0304, Mal/Generic-S.

At the time of writing, 12 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: bf17346569f839f6b0a69408416e7dd9c07e76a6940e4b47eae9cdfae3922ba3.

22 thoughts on “Emails “ADP TotalSource Automated Payroll Invoice Notification” contains trojan

  1. Opened that attachment & norton360 missed it. Who knows whats next. Even scanned the folder with norton. Reported to adp. Cant find the folder now. Doing full scan.

  2. I passed the whole thing on to abuse@adp and got an instant acknowledgement showing they were already aware of it.

  3. We received the email today and I ran it through Virustotal and only 8 out of 46 detected it for me. Wonder if it’s been modified since this post.

    • It is always possible that a new trojan variant emerges and that the anti virus engines need a new update. This will of course result in a lower detection rate at Virustotal.

      • I tried to scan again today and 24 were identifying it now, including our office AV, Symantec. We did a scan and it quarantined and deleted the file. Hopefully that’s all that was needed, but who knows!

  4. I have received this type of email twice. I haven’t opened either, but I cannot delete the latest one. When I try to do so, I get a message saying that the message can not be moved to Trash because “101630.emix” couldn’t be copied because you don’t have permission to access “Messages”. Anyone have any suggestions how I can delete the email?

  5. RE: SJ Williams: if you’re using outlook or outlook express as your mail client (instead of your browser, like yahoo or gmail uses) then simply hold down your shift key and hit delete while having the message highlighted. This will “permanently” delete the message without trying to send a copy to your deleted items folder (causing the problem for you).

  6. Very useful info, thank you! This was the first website I looked at when searching for info on the email I suspected as bring SPAM.
    Also forwarded the email onto abuse@adp.com.

  7. I received this virus email from kuibysheva85@rotoform.com. There was no attachment, and my Outlook thankfully didn’t auto download any of the images on the email. Hoping that just opening it didn’t set anything off. The subject line was “Payroll Invoice” and the inside of the email was pretty much the same as above.

  8. This one arrived in my inbox today and I almost opened it! I am concerned that the normally efficient filters didn’t pick it up… but have forwarded to abuse@adp.com and deleted from my system (I hope)!

    Thank you for keeping us all alerted.

  9. This post saved my bacon today… 3/6/13. Thanks! I run WebRoot and could not get it to scan this file nor detect a virus present… I did NOT open. Thanks again!

  10. Thanks for this information. I have received this email and because I have recently done some work for a new organisation, I was unsure as to whether or not it was genuine. However, I did not open the attachment and waited until I had some time to ‘google’ it. Today I found your information. Thanks again! Mary.

  11. Thanks for the information, we received one today from
    Sterling_Santana@adp.com We do not use ADP payroll services, this
    email was blocked and deleted. The following was in the email body:
    Your payroll document(s) were shipped by ADP on 03/13/2013 via
    FedEx. Please use the FedEx shipment tracking number(s) below to
    monitor the location of your payroll package(s). You can access
    this information by simply clicking on your FedEx tracking
    number(s). For more details , please download the attached file. If
    you have any questions regarding this email you may contact me by
    using the information below. Sincerely, Sterling_Santana
    888/220-7620 Sterling_Santana@adp.com

  12. The email looks a little different now, I just got this today to my email account:

    Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .

    To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.

    Total amount due by May 31, 2013

    $22996.29

    If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.

    Questions about your bill?

    Contact David Nieto by Secure Mail.

    Note: This is an automated email. Please do not reply.

Comments are closed.