We're running 7.5.1-028 on X1070 appliances and we're using the Sophos A/V engine. We have Sopho engine 3.2.07.378_4.90 of 04 Sep 13, and IDE rules 2013090806 of 08 Sep 13.
For the past week or so we've seen a significant number of messages get through which contain the Zbot trojan in a ZIP attachment. Of the messages I've looked at, all come from yahoo.com mail accounts and appear to pass through the Yahoo mail infrastructure, so I'm assuming compromised Yahoo accounts are being used. All the messages have a subject line that looks like one of these:
DHL Delivery service notify T7RUKTZYPC
FedEx Global report UU6PLGIEZU
UPS Global notifocation PE4HKNFNR4
USPS INC report ZR05Q0G5RZ
The code at the end appears to be random. The body of the message claims that the courier has a parcel which could not be delivered, and the recipient is invited to open the attachment for details of how to arrange delivery. See the example below.
Has anyone else seen this problem? It's easy enough to block with a content filter, but it should be picked up by the A/V engine IMHO.
Our company`s courier couldn`t make the delivery of parcel.
REASON: Postal code contains an error
DELIVERY STATUS: sort order
SERVICE: Three-day shipping
NUMBER OF parcel: PE4HKNFNR4
Read the attached file for details.
An extra information:
If the parcel isn`t received within 10 working days our company will have the right to claim compensation from you for it`s keeping in the amount of $6.66 for each day of keeping of it.
Thank you for using our service.