MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”.
This email is send from the spoofed address “”firstname.lastname@example.org” <email@example.com>” and has the following body:
Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.
Please view the attached booking confirmation, map and important game day documents prior to attending.
0844 477 5208
The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe.
The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen.
At the time of writing, 4 of the 51 AV engines did detect the trojan at Virus Total.