Date: Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different.
From: Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction device.
File Type: pdf
Download: Scanned from a Xerox multi~3.pdf
multifunction device Location: machine location not set
Device Name: Xerox2023
For more information on Xerox products and solutions, please visit http://www.xerox.com
VirusTotal results are 23/47 which is typically patchy. Comodo CAMAS reports that the malware attempts to phone home to forum.xcpus.com on 22.214.171.124 and has the following checksums:
ThreatExpert has some more information, but the ThreatTrack report [pdf] is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:
Update: I'd previously listed 126.96.36.199 on the blocklist which is a register.it parking server in Italy. That was probably overkill, you might want to unblock it and block ftp.videotre.tv.it instead.