MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like “Order info: 5552133825” or “Order: 49003245482”.
This email is send from the spoofed addresses and has the following body:
Your order #5552133825 will be shipped on 06.10.2014.
Date: October 01, 2014. 08:08pm
Transaction number: CA2AE333E068
Please find the detailed information on your purchase in the attached file sale2014-10-01_5552133825.rar
Your order #49003245482 will be shipped on 02.10.2014.
Date: October 01, 2014. 07:52pm
Transaction number: 4D50896E86
Please find the detailed information on your purchase in the attached file item2014-10-01_49003245482.rar
The attached archive is in the .rar format with filenames similar to item2014-10-01_49003245482.rar or sale2014-10-01_5552133825.rar and respectively contains the 65 kB large file item2014-10-01_49003245482.exe or sale2014-10-01_5552133825.exe. Please note that numbers may vary.
The trojan is known as W32/Kryptik.CKUF!tr, a variant of Win32/Kryptik.CMMO or Trojan.Win32.Krap.2!O.
At the time of writing, 3 of the 55 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.