Our friends at iDefense/Verisign shared a template with us for a new IRS phishing e-mail which they expect to be mail out soon (today). The template looks like it will be sent as a multipart mime encoded email with plain text and html part.

The '%' keywords in the template will be replaced with customized content. Expect URL like this to be used:
http://ads.tvfly.com/banner/.error_log/b.php

note that the directory starts with a '.' in order to hide it on compromised unix systems. Another common directory name is '.bbb'. file names to expect are b.php, kit.zip, update.exe

Here is the top part of the template:

From=IRS e-file <efilesubmission@irsefile.gov>
Reply-To=IRS e-file <efilesubmission@irsefile.gov>
Subject=Known e-file Issues and Solutions (2007 tax year), for %comp%!
%TEXT_TEMPLATE_DELIMITER%

Binary Attachments

___________________


It has come to the attention of the IRS Modernized e-File office that
some transmitters/software developers/return originators are creating 
binary files incorrectly. In some instances, the IRS was unable to 
display the PDF document because of improper formatting.
Effective immediately, please ensure that binary attachments are created 
according to the PDF standards in this correspondence.
The internal identifier (first five bytes of the file) must be the 
standard PDF identifier, "%PDF-".
Please download the correct PDF form for your business needs here:
%link%