MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order PC299139PPS Accepted”
This email is send from the spoofed address “CVLink <email@example.com>” and has the following body:
Your order number (PC299139PPS) has been authorised
Calls to 0871 numbers cost between five and ten pence per minute from BT landlines but calls from other operators and mobiles may cost more. Calls to this number cost between 5 and 10 pence per minute from BT landlines but calls from other operators and mobiles may cost more. Please note that calls to CVL may be recorded for quality and training purposes. Registered in ENGLAND :: LS19 7ZA :: Company Number – 759126 :: VAT Number – 834 8748 86 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. The content of the email should also be considered primarily as opinion or comment and not as a statement of fact. If you are not the intended recipient, you are hereby notified that any use or dissemination of this communication is strictly prohibited. If you have received this email in error, please advise the sender immediately and delete it. We believe that this e-mail and any attachments are free from any virus or other defects which may affect any computer system, but it remains the responsibility of the recipient to ensure that it is virus free. CVL accept no responsibility for any loss or damage arising in any way from its use.
The attached file PC299139PPS.doc is a Word file with malicious macro that will download the real malware.
The Word file is detected as heur.macro.download.cc.
At the time of writing, 1 the 55 AV engines did detect the trojan at Virus Total.
Use the Virus Total for more detailed information.