MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Bank Reference”.
This email is send from the spoofed address “TQL <firstname.lastname@example.org>” and has the following body:
Bank form is attached. Please fill out and return at the earliest convenience.
Donald McCarver – Logistics Account Executive
Total Quality Logistics
Work: 800-580-3101 x54804 Cell: 630-254-3268
Always Available 24/7/365
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Total Quality Logistics. Total Quality Logistics accepts no liability for any damage caused by any virus transmitted by this email.
The attached file Bank_Ref_(4).zip contains the 29 kB large file Bank_Ref_(4).exe.
The trojan is known as Packed.Win32.Obfuscated.10!O, Trj/Genetic.gen or Mal/Dyreza-D.
At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.