There’s a new malware being spammed right now. It has the attachment invoice.zip, which contains two files:

• cancel order.exe (md5: 2c51d2f9188464763fc664beedb314ff, size: 3837 bytes)
• invoice.html

In case the user did not double-click the EXE attachment, there’s a backup plan. The file invoice.html is a short HTML file which attempts to social engineer the user into executing cancel order.exe, by posing as a purchase receipt.

The “click here” link will point you to the cancel order.exe executable. But this plan miserably fails if your archiver did not extract the cancel order.exe from the invoice.zip file.

No anti-malware firm detects cancel order.exe yet, with the exception of Trend Micro, which detects the critter as PAK_Generic.001.

The malware downloads the following file

http://www.[BLOCKED]/webdl4x/webbot.exe

AV coverage is also low, but Trend also detects this one as PAK_Generic.001.

And it seems that our new find is also a bot, as evidenced by this web request.

http://[BLOCKED].info/settings/webbot/remote.php?os=XP&user=sp1-1&status=1&version=0.1& build=beta003&uptime=0w%203d%200h%202m%2052s%20&av=&fw=

As can be seen, it reports the system’s OS, machine name, uptime, AV, and firewall. And the server promptly replies with:

Added Successfully!

More updates later…

Cheers to Trend Researcher Joey Costoya for discovering this!