Cash and "Labels and such" lead to ZEUS
Websense customers are protected by the real-time protection for customers in our Advanced Classification Engine, ACE.
Here is a screen shot of an email message with an HTML attachment:
When viewing the deobfuscated content we see that the script uses a meta refresh tag to redirect a user who views the attachment. The script checks which browser is used and only performs the redirection if one of the following browsers: Firefox (navigator.userAgent.indexof('Gecko')) or Chrome/Safari (navigator.userAgent.indexOf('KHTML')).
A user who is using one of the affected browsers will get redirected to a pharmaceutical site like this one:
For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal - 5 /43. The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:\Documents and Settings\user\Application Data\Ewca\refef.exe" and tries to access two sites located in the .ru zone.
Here is a screen shot of the encrypted Zeus configuration file being downloaded after the malware injects itself into a legitimate process:
So far, we have seen more than 100,000 email messages like this.