Email “EFTPS: Company Tax Payment Batch Has Been Rejected.” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “EFTPS: Company Tax Payment Batch Has Been Rejected.”

The email is send from spoofed email address and has the following body:

Your Federal Tax Payment ID: 6558836841 has been rejected.

Return Reason Code R225 – The identification number used in the Company Identification Field is not valid. Please, check the
information and refer to Code R966 to get details about your company payment in transaction contacts section:

EFTPS_report_1334022012.pdf (Adobe PDF)

In other way forward information to your accountant adviser.

EFTPS: The Electronic Federal Tax Payment

PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always
make your tax payment by calling the EFTPS.

The attached ZIP file has the name EFTPS_Document.zip and contains the 70 kB large file EFTPS_Document.exe.

The trojan is known as W32/FakeAlert.OT.gen!Eldorado, Win32/TrojanDownloader.Wauchos.I, UDS:DangerousObject.Multi.Generic or Heuristic.BehavesLike.Win32.Downloader.A.

At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 739b535c99285146a6530b33858801b0f0808100389dae0eb5c78e840ac4abc1.