ADP Payroll INVOICE for week ending - virus scam email

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake ADP Payroll invoice virus scam email claims to have last weeks invoice attached, but has a virus. Spoofs ADP domains.

These often come in huge waves.

The actual ADP company would like a copy of these fake emails if you get them. Forward them to This email address is being protected from spambots. You need JavaScript enabled to view it. .


Subject: ADP Payroll Invoice for week ending 05/10/2013

Subject: Invoice

Subject: Payroll Invoice

Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding 
this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Thank you for choosing ADP Payroll.

Important: Please do not respond to this message.
It comes from an unattended mailbox.

ADP_inv_#02456266074_051013.zip (133)

Subject: ADP Payroll Invoice

Your ADP Payroll invoice is attached for your review. If you have any questions regarding
this invoice, please contact your ADP service team at the number provided on the invoice
for assistance.

Thank you for choosing ADP Payroll.
Important: Please do not respond to this message. It comes from an unattended mailbox.

invoice_04302014.zip (9)

Subject: Payroll Invoice

ADP TotalSource

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and
available for viewing.

Year: 13
Week No: 08
Payroll No: 1

Please open attached file to view and check following payrol

This email was generated by an automated notification system.
If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll
Service Representative. Please do not reply to the email directly.
© 2007 Automatic Data Processing, Inc.

invoice.zip (225)

Picture of fake ADP Payrol email with virus.


Headers samples:

Spoofs adp.com in From headers and something random in Envelope. Some versions don't spoof anything useful at all.

Received: from 50.97.36.6-static.reverse.softlayer.com [50.97.36.6]
   X-Envelope-From: prickedwjdr7165 @acm.org
   From: "run.payroll.invoice @adp.com" <run.payroll.invoice @adp.com>

Received: from 67-203-174-134.static-ip.telepacific.net [67.203.174.134] X-Envelope-From: initiates @unb.ca From: "run.payroll.invoice @adp.com" <run.payroll.invoice @adp.com>

Received: from host109-155-85-131.range109-155.btcentralplus.com [109.155.85.131] X-Envelope-From: artiex888 @casesmaker.ru From: "run.payroll.invoice @adp.com" <run.payroll.invoice @adp.com>

Received: from sbhisexch.sbhis.net (sbhisexch.sbhis.net [72.11.243.58] X-Envelope-From: quarterbacksyqa @momix.org From: "ops_invoice @adp.com" <ops_invoice @adp.com>

Received: from 198-91-106-74.static-ip.telepacific.net [198.91.106.74] X-Envelope-From: uncontrolledq96 @pado.com.br From: "ops_invoice @adp.com" <ops_invoice @adp.com>

Received: from rrcs-184-75-117-10.nyc.biz.rr.com [184.75.117.10] X-Envelope-From: disowns @heinemann.com From: "run.payroll.invoice @adp.com" <run.payroll.invoice @adp.com>

Received: from cable-188-2-208-249.dynamic.sbb.rs [188.2.208.249]
X-Barracuda-Envelope-From: bookendingp06 @praechtiger.com
From: cloutsz3 @scottstanchak.com
Subject: Payroll Invoice

Received: from 216.232.6.186.f.dyn.codetel.net.do [186.6.232.216]
X-Envelope-From: unrestw257 @uymai.net
From: fairsnsf6 @thecoalitionnetwork.com
Subject: Payroll Invoice

Received: from [182.70.132.164]
X-Envelope-From: maintainll @jodidavishomes.com
From: "payroll @adp.com" <twines898 @wiezijnwij.nl>
Subject: Invoice

Attachment examples

15 March 2013

inv_#01893838367_03152013.zip containing inv_#0(DIGIT[10])_03152013.exe | VirusTotal report

13 May 2013

ADP_inv_#02456266074_051013.zip containing ADP_inv_#0(DIGIT[10])_051013.exe | VirusTotal report

14 October 2013

Invoice.zip containing invoice_389419201.pdf.exe | VirusTotal report | Malwr.com report

17 Oct 2013

Invoice.zip containing a directory called containing invoice_23898422_93mn.pdf.exe and another zip file Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT.zip
 which contains a directory called Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT

The Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT directory contains zwt.nfo, file_id.diz, and keygen.exe

keygen.exe virustotal report | malwr.com report

invoice_23898422_93mn.pdf.exe virustotal report | invoice_23898422_93mn.pdf.exe malwr.com report

7 April 2014

invoice.zip containing invoice_7529837592352384_8234892ei.pdf.exe | VirusTotal report | Malwr.com report 

30 April 2014

invoice_04302014.zip containing invoice_04302014.scr

VirusTotal report 

0643 MDT, 0 score on VT!

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP GETs: expoperfumes.com.mx /images/stories/Targ-3004USmp.tar

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity