Fake Amazon order and invoice detail email contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order Details”.

This email is send from the spoofed address “delivers@amazon.com” and has the following body:

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order R:121217 Placed on May 28, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

Screenshot of the email:

The attached ZIP file has the name order_id_78362477.zip and contains the 118 kB large file order_id_7836247823678423678462387.exe.

The trojan is known as Win32:Malware-gen, Trojan.Win32.Krap.2!O, Spyware.Zbot.VXGen, PE:Malware.XPACK-HIE/Heur!1.9C48 or TROJ_GEN.F0D1H0ZFP14.

At the time of writing, 7 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: d12526fc430fa213d77f8523a89c92c5f4e0d11deacbaf5c160a16f87ed5adc3.

5 thoughts on “Fake Amazon order and invoice detail email contains trojan

  1. Received this exact email just now. Not picked up by Defender. Didn’t unpack/open it, obviously.

  2. Hi I received the invoice from Amazon &since I did not have an Amazon account I was curious. So stupid me opened attached file. I now fear that my pc is infected with this Trojan. Any suggestions as to how I can cure the problem. I have AVG installed.

    • Uninstall AVG and install/purchase Malwarebytes and Avast Anti-Virus. Don’t forget to pick up Microsoft Security Essentials if your system hasn’t installed it already.

      You might have to utilize “HijackThis” to remove the trojan/virus in case this doesn’t work. Hopefully this helps. Malwarebytes and Avast! really do the trick for 99.9999% of my protection needs.

      • Hi Ryne
        Many Thanks for your help. I managed to track the offending files in the system & systematically deleted these but it took a quite a few attempts. I did also use Malwarebytes. The system now registers virus free.
        Again Thanks

Comments are closed.