Fake “Windows XP Recovery” tool.

We have analyzed below malicious email. As usual it pretends to be from DHL Inc.

As we can see this email has a zip file attachment which contains a malware.
On extraction of this zip file user gets an executable file which has icon like a pdf file.

If this file gets executed it runs a script file from url “https://9X.6X.9.15/f/g.php”
and downloads the fake tool file from the url “https://6X.9X.116.16/pusk3.exe”

After downloaded file is executed on the affected machine and it works as a fake “Windows XP Recovery” tool.
It hides all the items which are present on the users desktop. It displays frequently a fake “Hard Drive Failure”
error message. The fake tool is as shown below:

Quickheal detects the malware file as “TrojanDownloader.Dapato.dt” so users are already protected.
We recommend users not to open such attachments from the unknown emails.