Since late last week, we have been observing a fair number of spams with a Trojan payload, purporting to be a money transfer notification from Western Union. The spam looks like this (the attachment in this screenshot has been stripped by a scanner -- the actual attachment should read "Western Union Information.exe":

New Western Union spam with Trojan in the wild Westernunion123888_small

The text may read something like this:


Dear Mike

Total of #3750 has been transferred by western union

MTCN number is 007-188-6024.

Enclosed is the western union sheet

Robert

or

Dear Mike

Total of $3750 has been transferred by wetern union

The MTCN number is 007-188-6024.

Enclosed is the transfer sheet

I hope this settles my transfer

Robert

The payload is Trojan.Perfloger. There are many other descriptions. A VirusTotal scan is here:

http://www.sunbelt-software.com/ihs/alex/virustotalperflogger.pdf

After the Trojan is executed, the user sees a text file:

New Western Union spam with Trojan in the wild Capture1231231238888_thumb

But that, of course, is the least of their problems.

An analysis of the program is on the Sunbelt Sandbox, here:
http://research.sunbelt-software.com/ViewMalware.aspx?id=2854232