Email “BP Fuel Card E-bill” contains trojan

MX Lab,, started to intercept a new trojan distribution campaign by email with the subject “BP Fuel Card E-bill 5307630 for Account B842155” (note that the ebill and account number will change).

The email is send from the spoofed address “Fuel Card Services <>” and has the following body:

Please note that this message was sent from an unmonitored mailbox which is unable to accept replies. If you reply to this e-mail your request will not be actioned.

Please find your e-bill attached.

To manage you account online please click

If you would like to order more fuel cards please click

If you have any queries, please do not hesitate to contact us.


Cards Admin.
Fuel Card Services Ltd

T 01282 310701
F 0844 840 9839
Supplied according to our terms and conditions. (see

Please also note that if you cannot open this attachment and are using Outlook Express
to view your mail you should select Tools / Options / Security Tab and deselect the
option marked “Do not allow attachments to be opened that potentially may be a virus”.
All of our outgoing mail is fully virus scanned but we recommend this facility is

The attached ZIP file has the name and contains the 32 kB large file FuelCard-ebill7640027.PDF.exe.

The trojan is known as TR/Gamarue.EL.1, Trojan.Generic.KD.886611, Win32/TrojanDownloader.Wauchos.I, Trojan:W32/Agent.DUJL, Trojan-Ransom.Win32.Blocker.auzk, Trojan.Ransom.ED, Troj/Agent-AAHY.

At the time of writing, 19 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 4670284ea406a60b2d53ac4dba2343cb5d6cb7986abe6ea9056ae3a5484a7793

2 thoughts on “Email “BP Fuel Card E-bill” contains trojan

    • The hyperlinks are safe in the email so I haven’t disabled the http request. The threat is attached as a zip file.

Comments are closed.