Fake email “Fwd: Dhl Delivery Attempt” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fwd: Dhl Delivery Attempt  (Invoice Documents)”.

This email is send from the spoofed address “enquiry@dhl.com” and has the following body:

We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
Airway Bill No: 7808130095
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Print this label to get this package at our depot/office.
Thank you
© 2014 Copyright© 2013 DHL. All Rights Reserved.
*** This is an automatically generated email, please do not reply ***
**************** CAUTION – Disclaimer *****************
Any person receiving this email and any attachment(s) contained, shall treat the information as confidential and not misuse, copy, disclose, distribute or retain the information in any way that amounts to a breach of confidentiality. If you are not the intended recipient, please delete all copies of this email from your computer system. As the integrity of this message cannot be guaranteed, neither DHL nor any entity in the Deutsche Post Group shall be responsible for the contents. Any opinion in this email may not necessarily represent the opinion of DHL or any entity in the Deutsche Post Group

—– End forwarded message —–

—– End forwarded message —–

—– End forwarded message —–

—– End forwarded message —–

The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe.

The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn.

At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 57d37614dd81d48c25bec02f4481e1757cd7a5b84ccc31904635a51d70db1a44.