So we're well into another cycle of email-delivered trojans.  Because
the spammers need fresh IP's to hijack?

VT report here:

https://www.virustotal.com/en/file/ac757dbceb00337faff1d44e7385ab223c1fc28035fe
58be3997ede9fd25bda3/analysis/1412897559/

Even 4 hours after I got it, VT scan result is a somewhat pathetic
13/54.

Get your own copy here:

http://filepost.com/files/48ec451b/Copy_of_document_Oct-09-2014.rar/

Here's who could id this as bad:

Agnitum        Packed/PECompact
Avast          Win32:Malware-gen
Baidu-Int.     Trojan.Win32.Injector.BBCUZ
Bkav           HW32.Paked.BE80
Cyren          W32/Trojan.BAMT-4106
ESET-NOD32     a variant of Win32/Injector.BCUZ
McAfee         Downloader-FAHG!8D817BDA961E
McAfee-GW      BehavesLike.Win32.Ransom.cc
Qihoo-360      HEUR/Malware.QVM17.Gen
Rising         PE:Trojan.Win32.Generic.1764E2FC!392487676
Sophos         Mal/Wonton-G
Tencent        Win32.Trojan.Backdoor.Auto
TrendMicro-HC  TROJ_GEN.F0E9H0ZJ914

So a few of the wierd-ass AV programs got it.  Look who didn't:

AVG
Avira
Bit Defender
ClamAV
F-Prot
F-Secure
Kaspersky
Malwarebytes <------- (joke)
Macro$haft (to be expected)
Norman
Symantec
TrendMicro (not the "HouseCall" version)

and a bunch of other wierd-ass software.

Anubis analysis here:

https://anubis.iseclab.org/?action=result&task_id=19ee7b4ad683e0e5465677652cbfb
ffab&format=html

No DNS lookups or network conversations (?)

Modifies lots of registry values though.

Sent to me via 24.243.166.171 (cpe-24-243-166-171.hot.res.rr.com)

Thanks RoadMunger for continuing to not block port-25 for your
brain-dead residential customers.

--------------
Subject: Notice to appear
From: "Notice to Appear" (wow, they put a lot of effort into that!)
X-Mailer: XimianEvolution1.4.6

Notice to Appear,

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Truly yours,
Clerk to the Court,
Susan Tailor
---------------
--- NewsGate v1.0 gamma 2