Subject: WorldPay CARD transaction ConfirmationIn this case there was a ZIP file called WorldPay_NR9712.zip (the filename may vary) with an executable in named WorldPay_NR9712.exe. When unzipped it looks a bit like a Windows Help file.
Date: Fri, April 24, 2009 5:28 pm
Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.
This confirmation only indicates that your transaction has been processed
It does not indicate that your order has been accepted.
It is the responsibility of Amazon Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
Detection rates are very poor, with only Microsoft flagging it up as something specific (PWS:Win32/Zbot.M). The ThreatExpert prognosis also indicates that it is malware (by the way, if you are dealing with an infected machine the ThreatExpert report can help you clean it up).
If you can, it is always a good idea to block EXE-in-ZIP attachments at the perimeter.