ADP Payroll INVOICE for week ending - virus scam email

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter


Fake ADP Payroll invoice virus scam email claims to have last weeks invoice attached, but has a virus. Spoofs ADP domains.

These often come in huge waves.

The actual ADP company would like a copy of these fake emails if you get them. Forward them to This email address is being protected from spambots. You need JavaScript enabled to view it. .

Subject: ADP Payroll Invoice for week ending 05/10/2013

Subject: Invoice

Subject: Payroll Invoice

Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding 
this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Thank you for choosing ADP Payroll.

Important: Please do not respond to this message.
It comes from an unattended mailbox. (133)


ADP TotalSource

A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and
available for viewing.

Year: 13
Week No: 08
Payroll No: 1

Please open attached file to view and check following payrol

This email was generated by an automated notification system.
If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll
Service Representative. Please do not reply to the email directly.
© 2007 Automatic Data Processing, Inc. (225)

Picture of fake ADP Payrol email with virus.

Headers samples:

Spoofs in From headers and something random in Envelope. Some versions don't spoof anything useful at all.

Received: from []
   X-Envelope-From: prickedwjdr7165
   From: "run.payroll.invoice" <run.payroll.invoice>

Received: from [] X-Envelope-From: initiates From: "run.payroll.invoice" <run.payroll.invoice>

Received: from [] X-Envelope-From: artiex888 From: "run.payroll.invoice" <run.payroll.invoice>

Received: from ( [] X-Envelope-From: quarterbacksyqa From: "ops_invoice" <ops_invoice>

Received: from [] X-Envelope-From: uncontrolledq96 From: "ops_invoice" <ops_invoice>

Received: from [] X-Envelope-From: disowns From: "run.payroll.invoice" <run.payroll.invoice>

Received: from []
X-Barracuda-Envelope-From: bookendingp06
From: cloutsz3
Subject: Payroll Invoice

Received: from []
X-Envelope-From: unrestw257
From: fairsnsf6
Subject: Payroll Invoice

Received: from []
X-Envelope-From: maintainll
From: "payroll" <twines898>
Subject: Invoice

Attachment examples

15 March 2013 containing inv_#0(DIGIT[10])_03152013.exe | VirusTotal report

13 May 2013 containing ADP_inv_#0(DIGIT[10])_051013.exe | VirusTotal report

14 October 2013 containing invoice_389419201.pdf.exe | VirusTotal report | report

17 Oct 2013 containing a directory called containing invoice_23898422_93mn.pdf.exe and another zip file
 which contains a directory called Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT

The Initex.Software.Proxifier.v2.9.Incl.Keymaker-ZWT directory contains zwt.nfo, file_id.diz, and keygen.exe

keygen.exe virustotal report | report

invoice_23898422_93mn.pdf.exe virustotal report | invoice_23898422_93mn.pdf.exe report

7 April 2014 containing invoice_7529837592352384_8234892ei.pdf.exe

VirusTotal report 

AntiVir 			TR/Dropper.VB.7932 	
ByteHero Virus.Win32.Heur.p
DrWeb Trojan.VbCrypt.150
ESET-NOD32 a variant of Win32/Injector.BBJP
Fortinet W32/Agent.ADBJ!tr 20140406
Malwarebytes Trojan.Crypt.NKN
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K
Microsoft VirTool:Win32/VBInject report 

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter


Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources