DHL Delivery Mail lead to Rogueware

Below mail landed in my mailbox today with an attachment DHL_Tracking_NR.324-492383.zip, as curious user i went to check it

————————————————————————–
Subject: DHL Tracking number #1488883
From: xxxxxxxxxxxxxxxx
Date: Tue, May 24, 2010 10:09 am
To: xxxxxxxxxxxxxx

Good morning,

We were not able to deliver postal package you sent on the 22nd May in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our
office.

Your personal manager: Dolly Gibson,
Customer Service: 1-800-CALL-DHL
Fax: 888-378-9347
DHL International, Ltd. All Rights Reserved.
————————————————————————–

When extracted a file DHL_Tracking_NR.324-492383.DOC.exe was present. Once this file was opened it dropped in the system

[System32 Folder]pgsb.lto
[Current Profile Folder]Local SettingsTemp3.tmp

In registry it added
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe pgsb.lto csxyfxr”

It tried to connect to remote system, to download other trojan on the system. After few minutes the system started showing fake messages and eventually a fake antivirus program got installed.

We have released protection against this fake AV/ Rogueware which is detected as Securityessentials2010.