Email with subject “message 20131007” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “message 20131007”, is send from a spoofed address and has the following body:

The attached ZIP file has the name P7315450844.Print.zip and contains the 75 kB large file P7469984985.Print.pdf.exe.

This trojan has the capability to dowload other files from Internet and makes in this case connection with hxxp://networksecurityx.hopto.org to request the file m_editerror.tmp.

At the time of writing, this subdomain is no longer available and it possible that this subdomain is deactived by No-IP, a free dynamic DNS service provider.

At the time of writing, 0 of the 47 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 6769e4686aa701956d90a5e850d1f795a2db5c71f6a94c410d40b6596aee09ad.