You've got to hand it to the scammers for their creativity.  Using the name of the Ministry of Transport and claiming a new tax, all to get you to open their fake antivirus installer.

This one comes in an email with a body similar to one of the following:

Nice hear you again,

how you maybe have prepared hear, the Ministry of Transport
will Modification a tax for your motor vehicle.
Please read attached documentation intimately, in the case of
conserve your finance.

Wish you lucky day!

Mattie Watson

or:

Hello,

how you maybe have prepared hear, the Ministry of Transport will
Switch a fee for your motor vehicle.
Please read attached documentation rigorous, in the cease of
economize on your pelf.

have a nice day!

Pierre Andrade

Of course, it's not actually from a friend of yours, and it's not from the Ministry of Transport, either.  The attachment, a 61KB zip archive, has a name something like "US_CAR_DOCUMENT_03_07_2010.zip", probably with the date in the filename changing, depending on when the email was sent.  An attachment simply named "CAR_DOCUMENTATION.zip" has also been seen.

Opening this zip file shows a single contained file, with the same filename, except for the extension.  The extension on samples that I've seen is doubled: ".DOC.exe" or tripled ".DOC.________.exe"  This makes it appear at first glance to be a Word document, but it's actually a program.  Running this program by double clicking will infect your computer with a rogue antivirus product.

One particular oddity about this trojan is that, while it's detected by Norton, McAfee, and Trend Micro Housecall, it's not detected by Trend Micro AntiVirus.  Housecall is an online, web-based scanner that's free to use.  Their purchased, install-on-your-computer antivirus product, though, misses this infection.  One would think that both these products would use the same definitions and scanning engine technology, but that's apparently not the case.

The evolution of malware is well underway.  Initially, phishing emails claimed to be from financial institutions.  Most people have now caught on to the fact that an email claiming to be from your bank probably isn't.

So the scammers and malware authors have branched out, using shipping companies, online auction sites, and other such businesses to try to sucker you in.  I've written about some of these before.

A recent email I received recently has gone even further, though.  Now, they're using airlines, under the auspices that you've bought a ticket, your credit card has been charged, and the invoice and ticket is attached to the email.

The email came to me with a subject line of:

Online order for airplane ticket N648365

and email body text of:

Good afternoon,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:

Your login: This email address is being protected from spambots. You need JavaScript enabled to view it.
Your password: G6vFjbdp

Your credit card has been charged for $998.63.
We would like to remind you that whenever you order tickets on our website you get a
discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off
for the journey!

Kind regards,
Delta Air Lines

My login name was my actual email address, which I've obfuscated for security reasons.

The trojan was in an attached file, "eTicket.zip", and was 209 KiloBytes in size. When detached from the email, and saved to my computer, it was 153 KiloBytes.  The size difference is due to the way email attachments are encoded to be sent.

The trojan isn't detected as of now by McAfee or Trend Micro, and while Symantec/Norton does detect it, it doesn't really know what it is for sure, as it's simply marked as "Suspicious".

The full-size image of the scan results isn't yet on the site, but it'll be there shortly.

Scammers are using fake Facebook password reset messages again, in order to peddle their fake antivirus software.

A recent email wave of image spam (meaning the text of the email is actually contained in an image, rather than normal email text) attempts to entice users to open an email attachment, purportedly a response to a request for a new password.

This file actually contains a variant of the Bredolab trojan, which installs fake antivirus software.

The image appears as the following text:

The image text translated to actual text, for the benefit of search engines:

Hey,

You recently requested a new password.
You can find your new password in attached file.

Please note that this email has been sent to all contact emails associated with your account.
If you did not request a new password, it's likely that another person has mistakenly
attempted to log in using your login.
As long as you do not click the link contained in the email, no action will be taken and your
account will remain secure.
For more information, visit our Help Center at http://www.facebook.com/help/?topic=login

Thanks,
The Facebook Team

The attached file is a zip compressed archive, which, when opened, contains the trojan.

The real problem with this particular variant is that it's only detected by 5 out of 41 scanners at virustotal.com: Authentium, AVG, the open source ClamAV, F-Prot, and Sophos.

The big 3 software packages - Norton, McAfee, and Trend Micro - and even the more popular of the smaller providers - NOD32, Microsoft, and Kaspersky - all completely miss it.

This goes to show that obtaining security software based on its relative popularity in the marketplace is not a sound method for keeping your computer safe.

The email claims to be from "Facebook Security", or "Facebook Support".  The emails I've seen also contained names of supposed Facebook employees, undoubtedly fake also, such as "Adelberta Chizmar" and "Travis Cleave".

Beware of social engineering techniques such as this, and don't open any such attachment.

Another variant of the Bredolab trojan is filling email inboxes, this time claiming to be a shipment tracking number from Amazon.

The scan results at virustotal.com show only 40% of antivirus software is currently catching this virus, and it's missed by McAfee.

The email this one comes in has the subject line of:

Your order has been paid! Parcel NR.2655.

The email body contains the following text:

Goodafternoon!

Thank you for shopping at Amazon.com
We have successfully received your payment.

Your order has been shipped to your billing address. 

You have ordered " Sony VAIO VGC-RT100Y "

You can find your tracking number in attached to the e-mail  document. 

Print the postal label to get your package.


We hope you enjoy your order!
Amazon.com

Note the missing space in the opening "Goodafternoon!"  This kind of mistake is a good indication that the email is not legitimate.

I haven't yet analyzed the activity of this virus, but it appears from the scan results that it will install rogue antivirus software, which then pesters you to purchase with many false positives in a fake scan result.

When I've done my analysis, I'll add to this article with the results.