There was another spam run of the fake UPS invoice yesterday, this time with a different version of the malware, in the zip attachment:
What was interesting, was that the signatures I'd added to catch the last one, detected the new varient too:
As you can see from the above stats graph, Email_Malware_Sanesecurity_08072227
(in yellow) was being blocked from around 5.30pm to 7pm. ClamAV started detecting the attched file at 7pm (Trojan_Zbot_1737).
What does the exe file do? (contained in the zip)... well, here's what ThreatExpert said