I imagine that this combined with virus capabilities (so it can spread itself via network) would be an overkill. Strange that they didn't do it, once you have an access to the local network (as soon as the initial victim runs .exe received by email) it shouldn't be too hard.