Since late last week, we have been observing a fair number of spams with a Trojan payload, purporting to be a money transfer notification from Western Union. The spam looks like this (the attachment in this screenshot has been stripped by a scanner — the actual attachment should read “Western Union Information.exe”:
The text may read something like this:
Total of #3750 has been transferred by western union
MTCN number is 007-188-6024.
Enclosed is the western union sheet
Total of $3750 has been transferred by wetern union
The MTCN number is 007-188-6024.
Enclosed is the transfer sheet
I hope this settles my transfer
After the Trojan is executed, the user sees a text file:
But that, of course, is the least of their problems.
An analysis of the program is on the Sunbelt Sandbox, here.