‚ÄčThis morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier's website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation message after paying the bill, also through email.

Today, however, one message stood out in several ways. First, the subject line was quite varied from what I was expecting to see:


Important Account Information from Verizon Wireless TRACK-ID: 15730301098


I was also addressed in the email in a rather peculiar way, "Hello Dear!". Only my aunt ever calls me "dear", so I knew it was a phony. Below is a copy of the spammed message:



The email messages have been spammed with varying elements among recipients. For instance, the "Total Balance Due" amount is different among samples spotted in-the-wild, with a leading zero when the amount is less than 1000:


Total Balance Due: $1589.55
Total Balance Due: $1366.06
Total Balance Due: $0257.93


The subject line is also not fixed and alters among recipients, in at least three different formats:


Subject: Important Account Information from Verizon Wireless TRACK-ID: 70341011278
Subject: Important Account Information from Verizon Wireless TRACK-ID: 12904962494
Subject: Important Account Information from Verizon Wireless, ID: 79PZ0SZ95HCLD
Subject: Important Account Information from Verizon Wireless, ID: OW0ORPE4SGTST
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 16:59:40 +0100
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 20:13:33 +0200


This suggests automation may be at play. The email carries a file attachment as a ZIP archive, commonly named "Verizon-Wireless-Account-StatusNotification_#######.zip", such as "Verizon-Wireless-Account-StatusNotification_3518066.zip". Within the attached archive, is an executable bearing a similar name such as "Verizon-Wireless-Account-Status-Notification-Dec-2011.exe" (SHA1: d4b12df0eb31457ad3d2197e9993f16a1f1a53eb).

While I was writing this article, the spam campaign altered to target Adobe software:

From: <no-reply @ adobe.com>
Date: 12/6/2011 9:00:59 AM
Subject: Adobe Software Critical Upgrade Notification ID: RA4NFDKPJBD
Attachment: AdobeSystems-Software_Critica Update_Dec_2011-6PGCF713B.zip

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader and Adobe X Suite
Advanced features include:
- Collaborate across borders
- Create rich, polished PDF files from any application that prints
- Ensure visual fidelity
- Encrypt and share PDF files more securely
- Use the standard for document archival and exchange
To upgrade and enhance your work productivity today please open attached file.
Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: MK20N1-3369338

Adobe Systems Incorporated,
Tue, 6 Dec 2011 18:00:59 +0100


At this time, there is limited detection among vendors - we identify it as PWS:Win32/Zbot.gen!Y. Be wary of messages that may appear to be from known entities and use security software to minimize the chance of infection.

-- Patrick Nolan, MMPC