Fake email from the Pegler Yorkshire Group regarding a daily report contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FW: Daily report” that is supposed to come from the Pegler Yorkshire Group, a British manufacturer of valves and engineering products.

This email is send from the spoofed address “Ian Howarth <Ian.Howarth@pegleryorkshire.co.uk>” and has the following body:

Please review attached document.



Head Office| St. Catherine’s Avenue, Doncaster, South Yorkshire, DN4 8DF, England.

Registered in England Company No. 00401507, Registered Office| Pegler Yorkshire Group Limited, St. Catherine’s Avenue, Doncaster, South Yorkshire, DN4 8DF, England. An Aalberts Industries Company.

DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Any views/opinions expressed in this email are solely those of the author and not of the company. The company may monitor communications for business purposes. Copyright in this email belongs to Pegler Yorkshire Group Limited, ALL RIGHTS RESERVED. This e-mail has been scanned for all known viruses by our systems however the company accepts no liability for any damage caused by any virus transmitted by this email.

The attached ZIP file has the name F44907162.zip and contains the 22 kB large file F44907162.scr (note: numbers may vary).

The trojan is known as Troj.W32.Gen or HEUR/QVM20.1.Malware.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: c9189ab85dcb7782bd048d1b91b6c2c414d6f7e7197f1e7a11189a92ad43c9f7

UPDATE 21/10/2014 12:20:

The same trojan is also being distributed by email with other content then mentioned above. This is an example that is supposed to come from the company 888 Publishing Ltd and has the same subject line “FW: Daily report”. So we might expect to see more similar emails but with different content.

Please review attached document.
Kind regards,

Carrie Lancaster – Editor

888 Publishing Ltd
6 Mitre Passage
Greenwich Peninsula
SE10 0ER
United Kingdom

T: +44 (0) 203 440 7106
F: +44 (0) 203 440 7115
W: http://www.biopharma-asia.com
CO#: 08048039
Find Us Online

This message and any files transmitted with it are the property of 888 Publishing Ltd, are confidential, and are intended solely for the use of the person or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please contact the sender and delete his message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.

One thought on “Fake email from the Pegler Yorkshire Group regarding a daily report contains trojan

Comments are closed.