MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You have received new messages from HMRC”.
This email is send from the spoofed address “no-replay <firstname.lastname@example.org> ” and has the following body:
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
The attached file report737009.zip contains the 50 kB large file report.exe.
The trojan is known as Trojan.Upatre.125, Trojan-Downloader.Win32.Upatre.ezk, BehavesLike.Win32.Autorun.pz, Troj/Dyreza-BK or TROJ_UPATRE.LWE.
At the time of writing, 13 of the 55 AV engines did detect the trojan at Virus Total.