Trojan masked in German email with attached fax message


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “fax aus “+49 (0) 30 xxx xxx xx” – xx seiten” (where x stands for number).

This email is send from different spoofed address sthat start with “fax@” and has the following body:

Faxnachricht [Caller-ID: +49 (0) 30 882 470 67]
Seiten: 18.
Datum: 2014-04-28 12:58:48 UTC.
Kennziffer: CF6922BF1222EE9078B5.

The attached ZIP file has the name fax_CF6922BF1222EE9078B5.zip and contains the 60 kB large file fax_1C33357D754884420273.exe.

The trojan is known as Backdoor.Bot, Malware.QVM03.Gen, a variant of Win32/Injector.BCTG, Virus.Win32.Heur.p or Win32:Malware-gen.

At the time of writing, 5 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 612d5f5baa070e2725674ca70a609dac7cf4335659d959aa07b0b93bf890fab5.