UPS Tracking number trojan
July 20, 2008 49 Comments
When you receive an email from UPS regarding a package that can’t be delivered due to an incorrect recipients address you better watch out. The chance is very likely that this is a new variant of a trojan trying to get your attention and to infect your computer.
The messages contains the text:
Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our officeYour UPS
The messages includes an attachment ups_invoice.zip which extracts the ups_invoice.exe file. This file contains a trojan known as W32/Agent.HFN by F-Prot. We couldn’t resist to submit this file to Virus Total and to see how many signature based anti virus engine will detect this malware. This time there where only 8 of the 34 anti virus engines detecting the trojan.
Here are the complete results from Virus Total:
Antivirus Version Last Update Result AhnLab-V3 2008.7.17.0 2008.07.18 - AntiVir 7.8.1.11 2008.07.20 - Authentium 5.1.0.4 2008.07.20 W32/Agent.HFN Avast 4.8.1195.0 2008.07.20 - AVG 8.0.0.130 2008.07.19 Dropper.Generic.VGK BitDefender 7.2 2008.07.20 - CAT-QuickHeal 9.50 2008.07.18 - ClamAV 0.93.1 2008.07.20 - DrWeb 4.44.0.09170 2008.07.20 - eSafe 7.0.17.0 2008.07.20 Suspicious File eTrust-Vet 31.6.5966 2008.07.18 - Ewido 4.0 2008.07.20 - F-Prot 4.4.4.56 2008.07.20 W32/Agent.HFN F-Secure 7.60.13501.0 2008.07.20 Suspicious:W32/Malware!Gemini Fortinet 3.14.0.0 2008.07.20 - GData 2.0.7306.1023 2008.07.20 - Ikarus T3.1.1.34.0 2008.07.20 Trojan-Dropper.Win32.Delf.aef Kaspersky 7.0.0.125 2008.07.20 - McAfee 5342 2008.07.18 - Microsoft 1.3704 2008.07.20 - NOD32v2 3282 2008.07.19 - Norman 5.80.02 2008.07.18 - Panda 9.0.0.4 2008.07.20 - Prevx1 V2 2008.07.20 - Rising 20.53.62.00 2008.07.20 - Sophos 4.31.0 2008.07.20 - Sunbelt 3.1.1536.1 2008.07.18 - Symantec 10 2008.07.20 - TheHacker 6.2.96.385 2008.07.19 - TrendMicro 8.700.0.1004 2008.07.18 - VBA32 3.12.8.1 2008.07.20 - VirusBuster 4.5.11.0 2008.07.19 Packed/Pohernah Webwasher-Gateway 6.6.2 2008.07.20 Win32.Malware.gen#ASPack (suspicious)
Again, this is showing the importance of a zero hour anti virus protection like MX Lab is offering.
Hmm just got one of these trojan emails myself. With people buying more and more stuff from sites like eBay, they would think nothing of opening an email purporting to come from UPS. “My delivery is delayed, dammit!”
i’ve just been sent this from my boss, better let the office know its a virus!!
any ideas on best software to remove it?
Take a look between the comments on the UPS Tracking number – new variant article: http://blog.mxlab.be/2008/07/21/ups-tracking-number-trojan-new-variant/
I received this email this morning in my yahoo mail account. The spam filters had knocked it into my spam folder, but I can still see where ths will get a lot of people.
I was waiting a parcel from UPS and I unfortunately opened the UPS_INVOICE trojan.
I have a MacOsX and Microsoft Office 2004.
How can I remove this thing from my computer please?
This trojan is a Windows application and a .exe can’t be exectued directly on MacOS X so you don’t have any infection from this one.
However, pay attention in the future regarding opening attachments. MacOS X is gaining popularity and we may expect to see MacOS X based viruses and trojans as well somewhere in the future when this platform is interesting enough for malware writers.
The file in the zip is an exe. UPS would NEVER send you an executable file. Smarten up people, or you will continue to be victims of attacks like these.
Thank you mxlab for your answer and for the advice.
I will be more cautious in the future.
We have a computer which seems to be infected with this virus after one of the operators opened this e-mail.
Can you advise us of best removal procedures?
Thanks
Wow, I’ve just found a new favorite for good, accurate, timely info on security and virus related issues. Bookmarks set………
Unfortunately, IT Enterprise as well as our own AV were listed as NOT catching this thing. Normally, we have at least 2 layers, and no, for some weird reason, they don’t seem to block attachments like that. Weird.
Hi, we received yesterday lots of this email. It passed all of my apm- and virusprotection! SpamProtect of dunkel.de, ClamAv Scanner of my firewall, my Exchange Groupshield 5.2 and the local McAfee Emailscanner! We removed the trojan from the user’s profile and thaugth everything okay again but it wasn’t. Since today we are listed as a spammer on spamhaus.org… Still working on killing that stuff… Unbelievable but such is life… Greetings from Germany
Pingback: Snapshots» Blog Archive » Virus warning, UPS spoof e-mail
In the last week alone I got 4 of these emails – everytime I won a item from ebay – could it be chance ? if not, then someones figured out individual email addresses from ebay user accounts.
So far this is the only way to remove the UPS virus. Follow the given link and do as instructed to fix UPS virus.
http://support.bicester-computers.com/showthread.php?t=18
Well… anyone using Windows who receives an email attachment that is an exe file who actually unzips and executes it, is just plain dumb.
Got 7 of that e-mail this week. Thankfully my AVast! still works. hehe
Well.. I have an office computer which is infected by this thing and I’ve done the: http://support.bicester-computers.com/showthread.php?t=18, 4 times and….. it’s still there. I have the biritos.exe, igfxtray.exe, braviax.exe AND winivstr.exe file on that computer….. I’ve tried manually, I’ve tried with the help of the link… to no avail… plus I have Symantec Corporate 10 on every unit (which is no help at all as it dosent see it)… so…. I starting to think that my only way out will be a reformat.
I just got this on my Junk Mail Folder.
It looked suspicious, so I ran a search and found this topic. Glad I didn’t open it.
These bastards are really trying hard, aren’t they?
Thanks for your site. I just received this as well and thought it was a strange message to be getting! Lucky I searched before opening!
Oh! very nice article.Some interesting information. I like this.
I just got a variant with a invoice.zip file containing an invoice.scr file. The text of the email was:
Mr./Mrs. Bill
I am sorry for this late reply, but we have good news.
We managed to track your package, and we have attached the invoice you asked for to this reply.
The invoice contains the correct tracking# , since the one you gave us was invalid.
You can use it on the ups website to track your shipment.
Thank you
John Henry
UPS Customer Care Department
— On Mon, 9/08/08, Bill <bill wrote:
From: Bill Olsen <bill
Subject: missing package
To: support@ups.com
Date: Monday, September 8 , 2008, 10:38 AM
I have recently used UPS to send a package to my cousin but he never received it.
Also , the tracking number doesn’t check on the website, and I lost the invoice.
Can you forward me a copy?
Here you have the tracking# : 03073332100016836200
Just got one of these myself. I really think they need to find the bastards creating viruses like these and put them on TV having iron stakes driven through their eye sockets.
I received this email today and yesterday. Mine also had a .scr file in the zip, not an exe. Symantec did not detect the threat in a zip format and when I ran it on the .scr file it crashed my machine. No other ill effects, machine booted up fine and no harm done.
Well, there are some ways to prevent being spoofed by these emails. One of the way is discussed in my blog below.
http://www.buddymii.com/socialnetwork/blog_entry.php?user=Ryen&blogentry_id=9
The emphasis is that user should verify the sender email address and determine whether did they actually came from the source.
This is not a guarantee that the sender is really UPS to make the email valid and that the attachment doesn’t contain a virus. It is so easy to spoof the mail from address and include @ups.com at the end to make it look that it came from UPS itself.
It is true however that this kind of email should be send from @ups.com and in this case it’s not. So, it’s quite easy to see that this email is not valid and with the contents of the email and the inclusion of an attachments you should have an indication that this could contain malware even if your anti virus doesn’t detect a possible dangerous file.
Sender email address verification can be done with for example SPF or SenderID, not by taking a look at the senders email address alone. Be aware of this.
Well, i’m one of thr dolts that opened it, Norton, saw it so i ran a full virus scan over night.Now i have a desktop, but no icons or start-up bar.
I don’t understand, if Norton caught it – then why no icons or start?
friend has given the link has not regretted that has come
Thank you!
Hi,
I received one of these this morning. Fortunately it had been marked as spam so I did not open the attachment. I often use UPS and may well have opened it otherwise. It’s another reminder of how careful you have got to be with emails.
I too just received an email from UPS this morning. Mine wasn’t marked as spam, but I was suspicious as there was an attachment and I had not sent anything or expecting anything in the post!
The email subject was:
UPS Tracking Number 7165856 and from tracking (dot) support (at) ups (dot) com, but the strange part was the reply to was nincompoop7(at)KitchenGroup(dot)com!
Beware people
I have just recieved one of thes UPS emails and tried to open it every whcih way. I couldn´t apparently open it. I even sent it top my wife to try and open it. How can I make sure it is removed from my PC. AVG free service didn´t detect it!
Mine hada proper UPS email address when I tried to reply
Thanks
Steve
I am also one of the numpties that opened the attached file. I only have the free antivirus stuff along with the package that comes with Windows Vista.
Now I think they’ve sorted it but am a little concerned that it’s still on here.
Does anyone know what it does to the infected computer?
Have got a 30 day free trial from AVG running and it’s not picking up anything so, as I say, I think I’m in the clear. I am just curious to know if there’s any sites, i.e. banking, that I should avoid using or what signs to look for.
Cheers for the help!
Unfortunately I too received this mail this morning and have been expecting a package so tried to open it a couple of times. I received an error advising that a specific folder could not be found when I tried to open the zip file and as a result have not seen the .exe file.
Does this mean that the .zip file is mascarding as an .exe and has placed the files on my machine?
I am currently running mcafee and it hasn’t found anything yet.
Thanks for your help
Yes, it got me too. I even scanned the attachment first with
AVG and even did a google on the subject “ups manager willa ward fraud” but nothing came up, so because I am expecting a ups delivery I fell for it and now I’m trying to clear it up. I realize I should have used the word “virus” instead of “fraud” now because when I did that I got results that led me here. Does anyone know what potential harm this virus could do and how I can clean it up? I’m on another computer right now and it’s my laptop that’s infected. Any help appreciated.
Kenny
I got one this morning tried to open it I got a warning so it’s deleted, I’ve got Virgins own protection and the free version of malware bytes on here, as far as I know I’m ok
(I HOPE) tracking no. on mine was 1113181 ot used the managers name kathy Keyes and there is another address on- scorpionne62@live.fr Not sure if that’s any help.
Ren.
i received email from UPS Manager Bobbie Schaffer [tracking.support@ups.com], it was said error in shipping address. Luckily, kapersky detected the file contain virus…
Just changed my Anti Virus software from Bullguard to Avast.
Neither of these caught or filtered out this e-mail with the attachment.
This particular e-mail says it has come from UPS Manager Marsha Kirkland and it’s identifier is UPS Tracking Number 6098529
I didn’t open it as I remembered it from a previous attack.
got this one today UPS Manager Sheena Matos i did not bother to open the invoice attachment as i am not expecting anything from ups but was suspisious so i googled it and ended up here anybody know where these emails originate who the sender is
Beware of the new variant (got it twice):
Titled: UPS Tracking Number #######.
From: UPS Manager (First) (Last) (service @ ups.com)
Message as follows:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.
Thank you.
United Parcel Service.
can you send to my email please
dear ups manager.
i lost my invoice and traking number,can you forward again to me my tracking number please
thank you
Good to know about this great blog. I had today the second attemp to get this trojan zip file delivered through my mail address.
The message had this text in it:
Dear customer!
We failed to deliver the package sent on the 15th of December in time
because the recipient’s address is wrong.
Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.
Attachment with this zip file UPS_Document_Nr_28451.zip
Good Luck and do not click on it!!
Hi, I know this is kinda late, but please answer my question mxlab.
I was actually stupid enough to click the attachment today, right after I clicked it I knew I did something stupid. After clicking it, I think it was Norton or something that scanned the file first and said there was a virus detected. I clicked cancel, but not sure if the virus infected, or Norton stopped it before it downloaded, keeping my computer safe.
Now this happened before the option to “Open” or “Save” came up. I just licked the attachment link and Norton started scanning it and found a virus, does that mean it stopped it or it just detected it and is now on my computer? But what’s weird is I don’t have Norton installed in my computer, I have AntiVir. Maybe it was because I was using Yahoo email or something.
Could you please help me here, I’m very paranoid right now.
thanks
I have recieved one of these with atth. exe did not open the email was from sealyvanessa@msn.com DR6997 where is the real # to get the right number for it said I had an address that was wrong 304 927-2869
hi, we got one of these today and before you tell us exactly how dumb we are, we even downloaded winzip to unzip the file. our computer is now completely stuffed, all application icons are now word docs, we cant even access our harddrive now. please tell us there is a fix?
any info would be much appreciated!!!
thank you,
linda.
If you get the Troujan then run Spybot. If you don’t have spybot downoad it. Spybot is thorough and picks it up.
I was close to dispair when I thought of spybot.
My Symantec program quarantined an email yesterday and another one today. It’s actually being sent to an old email account at work that’s being forwarded automatically to my new one. Is there anyway to block it? I don’t figure you can since the sender is alway’s changing. Here’s what Synamtec sent me:
The MessageLabs Email Security System discovered a possible virus or unauthorised code (such as a Trojan) in an email sent to you. The email has now been quarantined and was not delivered.
Please read the whole of this email carefully. It explains the status of your email, the nature of the intercepted virus and the next steps for addressing the problem.
To help identify the quarantined email:
The message sender was
upder4@ups.com
The message originating IP was 83.59.41.35 The message recipients were ——-
The message title was United Parcel Service notification 08054 The message date was Wed, 30 Mar 2011 04:04:43 +0100 The virus or unauthorised code identified in the email is
>>> Trojan.Bredolab!eml in ’3466919_6X_AZ-D_PA4__UPS.exe’
Some viruses forge the sender address. For more information please
visit the virus FAQ’s link at the bottom of this page.
The message was diverted into the virus holding pen on
mail server ———— and will be held for 30 days before being destroyed
Please contact your IT Helpdesk or Support Department for further
assistance.
Answers to virus-related questions can be found on the MessageLabs
Virus FAQ page at
http://www.messagelabs.com/page.asp?id=628
The sender yesterday was infosec7@ups.com and obviously a different IP address.
Thanks MX Lab – I’ve got you bookmarked!
This is a very useful blog, wish i’d known about it sooner. I just got one of those UPS mails. My Avast did not pick it up, and i stupidly fell for it. Some of the icons on my desktop now carry the wrong images. most of my apps won’t open, i keep getting the response “….. is not a valid Win32 application”. The “UPS” mail i got read;
“Good morning
Parcel notification
The parcel was sent your home adress.
And it will arrive within 3 buisness days.
More information and the parcel tracking number are attached in document below.
Thank you
United Parcel Service of America (c)
153 James Street, Suite100, Long Beach CA, 90000.”
It carried the tracking number #77278. How do i get rid of it? Any help will be greatly appreciated.