The originator of the email was NOT the official domain of La Poste. Here is the extract from MIME headers and contents (HTML stripped):
Delivered-To: *hidden*@gmail.com
Received: by 10.68.54.98 with SMTP id i2csp72104pbp;
Wed, 23 Jan 2013 18:53:29 -0800 (PST)
X-Received: by 10.14.223.135 with SMTP id v7mr1256308eep.41.1358996008951;
Wed, 23 Jan 2013 18:53:28 -0800 (PST)
Return-Path: <ervice@clinet.fr>
Received: from out.smtpout.orange.fr (out03.smtpout.orange.fr. [193.252.22.212])
by mx.google.com with ESMTP id n5si39111788eeo.253.2013.01.23.18.53.28;
Wed, 23 Jan 2013 18:53:28 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning ervice@clinet.fr does not designate 193.252.22.212 as permitted sender) client-ip=193.252.22.212;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning ervice@clinet.fr does not designate 193.252.22.212 as permitted sender) smtp.mail=ervice@clinet.fr
Received: from mwinb2k04.me-wanadoo.net ([10.223.3.78])
by mwinf5d64 with ME
id retU1k0061gzcpE03etURd; Thu, 24 Jan 2013 03:53:28 +0100
Received: by mwinb2k04.me-wanadoo.net (SMTP Server, from userid 1001)
id 0C1A41406C; Thu, 24 Jan 2013 03:53:28 +0100 (CET)
Received: from mwinf5c24 (mwinf5c24.me-wanadoo.net [10.223.111.74])
by mwinb2k04 with LMTPA;
Thu, 24 Jan 2013 03:53:28 +0100
X-Sieve: CMU Sieve 2.3
Received: from slow.vmail.no ([193.75.16.12])
by mwinf5c24 with ME
id retF1k00p0Fd0ih01etT1e; Thu, 24 Jan 2013 03:53:27 +0100
X-bcc: *hidden*@wanadoo.fr
X-ME-engine: default
X-me-spamrating: 40.00
X-me-spamcause: (0)(0000)gggruggvucftvghtrhhoucdtuddrfeehledrjeekgddutdcutefuodetggcurfhrohhfihhlvgemucfogfenuceurghilhhouhhtmecugedttdenucenucfhrhhomhepshgvrhhvihgtvgesvehhrhhonhhophhoshhtrdhfrhenucffohhmrghinhepghhonhhfrghrohhnrghuthhophgrshhsihhonhdrtghomhenucfjughrpefkhffvufhrffggtgfgsehhqheftddttddu
X-me-spamlevel: not-spam
Received: from pmx.vmail.no (pmx.vmail.no [193.75.16.11])
by slow.vmail.no (slow1.isp.as2116.net) with ESMTP id F288D8F468
for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:31 +0100 (CET)
Received: from pmx.vmail.no (localhost [127.0.0.1])
by localhost (pmx8.isp.as2116.net) with SMTP id A6AF5670C4
for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:21 +0100 (CET)
Received: from smtp.bluecom.no (smtp.bluecom.no [193.75.75.28])
by pmx.vmail.no (pmx8.isp.as2116.net) with ESMTP id 695016666A
for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:21 +0100 (CET)
Received: from clinet.fr (c0B9645C1.dhcp.as2116.net [193.69.150.11])
by smtp.bluecom.no (Postfix) with ESMTP id D294E9C
for <*hidden*@wanadoo.fr>; Thu, 24 Jan 2013 03:36:20 +0100 (CET)
Message-ID: <20130124033617.279E56C44570F596@Chronopost.fr>
From: service@Chronopost.fr
To: *hidden*@wanadoo.fr
Subject: Suivi de votre colis.
Reply-To: ser@pmx.vmail.no
Date: 24 Jan 2013 03:36:17 +0100
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cher(e) client(e),
Chronopost vous informe que l'envoi de votre commande est disponible.
Point de retrait
Bureau de Poste
L'envoi sera disponible 7 ou 14 jours en fonction de votre produit, à compter de la date de mise à disposition. Au-delà, il sera retourné à l'expéditeur.
Une tierce personne peut venir retirer l'envoi à la place du destinataire. Pour ce faire, elle devra se présenter munie de :
sa carte d'identité
la pièce d'identité du destinataire
une procuration (papier libre ou avis de passage rempli au dos)
Vous pouvez trouver le suivi de cet envoi à tout moment en cliquant ici .
Nous vous remercions d'avoir choisi Chronopost.
Cordialement,
Votre Service Client Chronopost
It was an easy to detect FAKE alert as I was definitely not waiting for any delivery from any place
The Zip file contained was what the link “Cliquez ici” was pointing to:
http://chronopost.service.client.fr.gonfaronautopassion.com/Chronopost.Suivi colis .zip
The URL itself is definitely NOT La Poste.
So the domain gonfaronautopassion.com is infected !
New virus or worm or phishing (or anything it could be) was submitted to VirusTotal which found it was infected (detected by BitDefender):
I have a copy of this zip file if Avast wants to inspect it, becauyse for now no tool actually detects it (I have NOT run the .exe file it contains). EDIT: I have submitted the .zip file to Avast
This worm installs a backdoor connected to the Tor network, controlled by Bots to execute random code on request. It is very harmful. It is also being distributed on the wild as a troyan by emails (in fact originated from bots running on hosts connected to this Tor network). It can execute arbitrary code on request, but most users would see that the worm will first do nothing else than waiting for commands, then it will start being used either to run a spambot to distribute various troyans and malwares by emails.
It seems related to a similar worm (Gen:Variant.Kazy.50365, alias “Win32:Cybota [Trj]” for Avast), from which it is a new variant:
https://www.virustotal.com/file/9f545abe899bb5dea8f6f8a2779d15c713d530f5a0afd0e8243bf3c6ad28a4e0/
Almost all variants of “Gen:Variant.Kazy.*” are also known to install a KEYLOGGER on the victim machine, in order to spy your passwords (notably on bank sites or sites with authorized payments with your credit card, like eBay and PayPal).
This is then definitely not a “Potentially Unwanted Program” like ClamAV says, It is much more dangerous than that.
EDIT: I’ve contacted the editors of the website running on www.gonfaronautopassion.com to verify and cleanup the contents of their DNS zone, as there’s evidence that the rogue subdomain was hijacked. They should better secure their DNS, and change the password to edit their DNS zone (because this password was visibly stolen by a keylogger or spyware running on the host used by one of the website editors)
I also instructed them to visit this forum page (as well as the page on virustotal) for more information