MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Payroll Invoice”
This email is send from the spoofed address “”firstname.lastname@example.org” <email@example.com>” and has the following body:
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Week No: 08
Payroll No: 1
Please open attached file to view and check following payrol
This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.
© 2013 Automatic Data Processing, Inc.
Screenshot of the email:
The attached ZIP file has the name invoice.zip and contains the 199 kB large file invoice_92582052304_2932323ska.pdf.exe.
The trojan is known as BDS/ZeroAccess.A.117, a variant of Win32/Kryptik.BOHS, Rootkit.0Access.ED, Kryptik.CCAG, Trojan.Zeroaccess.C or TROJ_GEN.F0D1H00K613.
This trojan can make connection with remote hosts and download other files.
At the time of writing, 11 of the 47 AV engines did detect the trojan at Virus Total.