Paintball booking confirmation email will infect your computer with trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”.

This email is send from the spoofed address “”ipguk52@paintballbookingoffice.com” <ipguk@paintballbookingoffice.com>” and has the following body:

Dear client,

Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.

Please view the attached booking confirmation, map and important game day documents prior to attending.

Kind regards,
Leigh Anderson
Event Co-ordinator
0844 477 5208

cid: 42440947

The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe.

The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen.

At the time of writing, 4 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe