MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You received a new message from Skype voicemail service.”.
This email is send from the spoofed address “Skype Communications” and has the following body:
This is an automated email, please don’t reply.
Voice Message Notification
You received a new message from Skype voicemail service.
Time of Call: Tue, 26 Nov 2013 10:20:24 -0400
Length of Call: 38sec
Listen to the message
in the attached file.
If You Are Still Having Problems
If you’re still having difficulty retrieving your Skype Name please contact a support agent via
Protect Your Password
Skype staff will NEVER ask you for your password via email. The only places you are asked for your password are when you sign in to Skype or on our website if you want to buy something or check your account. You will always sign in via a secure connection, and we ask you to ensure that the address in your browser begins exactly like this https://secure.skype.com It should also show a little padlock symbol to indicate the secure connection.
Be alert to emails that request account information or urgent action. Be cautious of websites with irregular addresses or those that offer unofficial Skype downloads. Security updates and product upgrades are made available at http://www.skype.com or using the client’s upgrade function.
© 2003-2013 Skype and/or Microsoft. The Skype name, associated trademarks and logos and the “S”
logo are trademarks of Skype or related entities.
Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg.
The attached ZIP file has the name Skype_Voice_Message-7776C24212.zip and contains the 151 kB large file Skype_Voice_M_497564___random_numbers___872345.wav.exe.
The trojan is known as Trojan.Agent.BAWV, UDS:DangerousObject.Multi.Generic, Trojan.Zbot, Trojan.Agent.BAWV or Mal/Generic-S.
At the time of writing, 7 of the 46 AV engines did detect the trojan at Virus Total.