Everyday we can see a new virus/trojan pass by that is sent from the SMTP sender firstname.lastname@example.org. Today it’s no different. MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Unable to process your most recent Payment” from HSBC UK and “FW: Case domain.tld” from the Companies House (the domain.tld is being replaced by the recipients domain name).
This email comes with the subject “Unable to process your most recent Payment”, is send from the spoofed address “”HSBC.co.uk” <email@example.com>” and has the following body:
You have a new e-Message from HSBC.co.uk
This e-mail has been sent to you to inform you that we were unable to process your most recent payment.
Please check attached file for more detailed information on this transaction.
Pay To Account Number: **********94
Due Date: 06/11/2013
Amount Due: £ 643.76
IMPORTANT: The actual delivery date may vary from the Delivery by date estimate. Please make sure that there are sufficient available funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
Copyright HSBC 2013. All rights reserved. No endorsement or approval of any third parties or their advice, opinions, information, products or services is expressed or implied by any information on this Site or by any hyperlinks to or from any third party websites or pages. Your use of this website is subject to the terms and conditions governing it. Please read these terms and conditions before using the website..
The attached ZIP file has the name HSBC_Payment_06112013.zip and contains the 28 kB large file Payment_06112013.exe.
This email comes with the subject “FW: Case domain.tld” from the Companies House (the domain.tld is being replaced by the recipients domain name) is send from the spoofed address “”HSBC.co.uk” <firstname.lastname@example.org>” and has the following body:
This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
(CC01) Company Complaint for the above company was accepted on 06/11/2013.
The submission number is 1193671
Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Not yet filing your accounts online? See how easy it is…
Note: reference to company may also include Limited Liability Partnership(s).
Thank you for using the Companies House WebFiling service.
Service Desk tel +44 (0)303 6069 927 or email email@example.com
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
The attached ZIP file has the name Case_1193671.zip and contains the 28 kB large file Case_06112013.exe.
The trojan is known as Worm/Win32.Palevo, TR/Crypt.Xpack.3685, W32/Trojan.UOSL-1532, Trojan.Downloader.JQEJ, Downloader-FVM!DCA1C11AA0C5, Artemis!DCA1C11AA0C5, Trj/Downloader.WKY or Troj/Zbot-GVA.
The trojan is capable of downloading files and connecting to other hosts over HTTP. It will collect information to fingerprint the system, make modifications to the local firewall settings and policies and installs itself to boot at start up of the infected system. Futhermore, this trojan can steal information from browsers.
At the time of writing, 22 of the 47 AV engines did detect the trojan at Virus Total.