MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL shipment failed to arrive” or “DHL Private delivery services”.
This email is send from the spoofed address “DHL Service <firstname.lastname@example.org>” and has the following body:
Your parcel arrived at the post office on April 22. Our courier was unable to deliver the parcel to your adress.
To receive the parcel you should go to the nearest DHL office and take your mailing label with you.
The mailing label is attached. Please print it and show at the nearest DHL office to receive the parcel.
Thank you for using DHL Service!
Princes Court, 11
Wapping Ln, London,
E1W 2DA,United Kingdom
Toll Free: +44 20 7553 2200
Hours:Open today · 9:00 am 7:00 pm
The attached ZIP file has the name DHL_label_56047.zip and contains the 142 kB large file Label_87698_id_2518023.pdf.exe.
The trojan is known as Trojan.Agent.ED, HEUR/Malware.QVM20.Gen, PE:Malware.XPACK-HIE/Heur!1.9C48, Troj/Zbot-IDQ or TROJ_GEN.F47V0423.
At the time of writing, 6 the 51 AV engines did detect the trojan at Virus Total.