MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Copied invoices”.
This email is send from the spoofed address “kshakong@Cashbuild.co.za” and has the following body:
The attached invoices are copies. We will not be able to pay them. Please send clear invoices
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
The attached ZIP file has the name SKMBT_75114091015230.zip and contains the file SKMBT_75114091015230.exe.
The trojan is known as Trojan.PWS.Stealer.4118, Spyware.Passwords, Trojan.Zbot.ILS, TR/Fareit.A.301, Troj/Agent-AIXF or RDN/Generic PWS.y!bbb.
At the time of writing, 24 of the 54 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.