Date: Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]In this case there was a ZIP file called 048575623_02082013.zip (this may vary) with an attachment 048575623_02082013.exe designed to look like a PDF file.
From: "firstname.lastname@example.org" [email@example.com]
Subject: ADP Payroll Invoice for week ending 02/08/2013 - 01647
Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.
VirusTotal identifies it as a Zbot variant. According to ThreatExpert, the malware attempts to connect to the following hosts:
These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.