MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Reservation for Thursday, June 12, 2014 BN_4914940” that remains almost undetected by anti virus scanners (at the time of writing only 2 of the 51 AV engines did detect the trojan at Virus Total).
This email is send from the spoofed address “Booking.com” and has the following body:
Thanks! Your reservation is now confirmed.
BOOKING.COM online hotel reservations
Booking number: 4914940
PIN Code: 6287
Your reservation: 1 night, 1 room
Check in: Thursday, June 12, 2014
(2:00 pm – 00:00 am)
Check out: Friday, June 13, 2014
(until 12:00 pm)
Superior Double Room $1,300.68
VAT (20%) included $449.92
Total Price $1,750.60
Screenshot of the email:
The attached ZIP file has the name BN_4914940.zip and contains the 95 kB large file report_92da3ec16736842.pdf.exe.
Please note that the numbers in the subject, message or attachment may vary with each email.
The trojan is known as PWSZbot-FXE!3B53E958ECF1 or TrojanSpy.Zbot.herw.
At the time of writing, 2 of the 51 AV engines did detect the trojan at Virus Total so be cautions with this file or the email. MX Lab recommends not top download/open the attached ZIP file in any way because virus definitions are not yet distributed accordingly. Remove the email immediately from your computer.