MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Stanford”.
This fake email is send from the spoofed address “Kcurran <firstname.lastname@example.org>” and has the following body:
Please find the attached.
The password for the archive: kasandra
If you can not read the file, set WinRar http://www.rarlab.com/download.htm
Kevin T Curran
New Stanford Hospital
Stanford Health Care
O: 650-723-2219 C: 650-847-8382
The attached password protected file WgxEoWsa.rar contains the 52 kB large file document.exe.
The trojan is known as Win32:Evo-gen [Susp], Packed.Win32.Katusha.3!O, BehavesLike.Win32.Downloader.qh or Trojan.Win32.Qudamah.Gen.26.
At the time of writing, 4 of the 56 AV engines did detect the trojan at Virus Total.