MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “ATTN: Early 2013 Tax Return Report!”.
This email is send from the spoofed address “Internal Revenue Service <firstname.lastname@example.org>” and has the following body:
Here is a report on your early 2013 Federal Tax return report. Kindly download the attachment to view your report and start filling for 2013 return as early as second week of December.
Internal Revenue Service
915 Second Avenue, MS W180
Seattle, WA 98174-0041
The attached ZIP file has the name Early2013TaxReturnReport_0B94710736.zip and contains the 102 kB large file Early2013TaxReturnReport_FA9433B43__random_chars__3393954885.pdf.exe.
The trojan is known as a variant of Win32/Injector.AUZX or Trojan.Agent.ED.
At the time of writing, 2 of the 47 AV engines did detect the trojan at Virus Total.