Over the last 48 hours we've seen a huge increase in ZIP'd malicious e-mail attachments being spammed. The subjects have been:
Your Tracking #xxxxxxxx (where xxxxxxx is a random number) New Ticket #xxxxx (where xxxxx is a random number) Accounts Operations Report Your Statement between 1/1/08 and 10/30/08
The ZIP file typically contains a file that looks like a document (.DOC) but it is really an EXE, there's just a lot of whitespaces between .DOC and .EXE.
Some of these ZIP files are protected by a password which makes it more likely to be allowed through an e-mail server. The password is always in the e-mail message so that the recipient can easily see it.
Using e-mail attachments has made a come back in popularity amongst malware writers during the last few months. We detect this latest batch as variants of the Worm:W32/Autorun family.