“You’ve got an eFax!”

Spam emails are nothing new and unfortunately most internet users are confronted with them daily. Their purposes vary from simply promoting a site or product, to phishing and downright infecting a computer. Today we received a particular nasty, but at the same time convincing-looking email, claiming to be from eFax.

Convincing at first sight, but when looking a little closer it becomes clear that this is nothing more than an attempt to have the reader open a supposed PDF document.

When looking at the email source the following is listed:

From: "eFax Corporate" <[email protected]>
Subject: Corporate eFax message

 According to the (legitimate) eFax website FAQ:

When someone sends you a fax, the message is delivered to the email address on your account.

  • Faxes will come from the email address [email protected]
  • The subject line of your email will be “Fax Received From (Fax Number)”.
In other words, both subject and sender do not match with what we would expect of a real email from eFax. But there is more, lets have a look at the attachment, which according to the message is supposed to be a PDF document. After downloading and unzipping the attachment, this is what we get (see image).

 This may look like a PDF file, but look at the icon. That is the default executable (.exe) file icon. A simple file properties check shows that this is indeed the case.

A .exe file trying to look like a .pdf file is by its very definition suspicious, which was confirmed when upon execution ZeuS was downloaded and loaded on the system. This trojan is known for its info-stealing capacity (especially banking information). Emsisoft Anti-Malware detects the associated files as Trojan.Win32.Zbot.

To remove this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to quarantine. Our experts in the Help, my PC is infected! Emsisoft Forum are always ready and willing to offer additional help. The removal service is absolutely free even if you are not an Emsisoft customer yet.