UPS Tracking number trojan – new variant
July 21, 2008 36 Comments
Around 00:02 AM, local Belgian time, MX Lab detected an outbreak of a new UPS tracking number trojan.
The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.
The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.
Antivirus Version Last Update Result AhnLab-V3 2008.7.21.1 2008.07.21 - AntiVir 7.8.1.11 2008.07.21 - Authentium 5.1.0.4 2008.07.21 - Avast 4.8.1195.0 2008.07.21 - AVG 8.0.0.130 2008.07.21 - BitDefender 7.2 2008.07.21 - CAT-QuickHeal 9.50 2008.07.21 - ClamAV 0.93.1 2008.07.21 - DrWeb 4.44.0.09170 2008.07.21 - eSafe 7.0.17.0 2008.07.21 Suspicious File eTrust-Vet 31.6.5971 2008.07.21 - Ewido 4.0 2008.07.21 - F-Prot 4.4.4.56 2008.07.21 - F-Secure 7.60.13501.0 2008.07.21 Suspicious:W32/Malware!Gemini Fortinet 3.14.0.0 2008.07.21 - GData 2.0.7306.1023 2008.07.21 - Ikarus T3.1.1.34.0 2008.07.21 - Kaspersky 7.0.0.125 2008.07.21 - McAfee 5343 2008.07.21 - Microsoft 1.3704 2008.07.22 - NOD32v2 3284 2008.07.21 - Norman 5.80.02 2008.07.21 - Panda 9.0.0.4 2008.07.21 - PCTools 4.4.2.0 2008.07.21 - Prevx1 V2 2008.07.22 - Rising 20.54.02.00 2008.07.21 - Sophos 4.31.0 2008.07.21 - Sunbelt 3.1.1536.1 2008.07.18 - Symantec 10 2008.07.21 - TheHacker 6.2.96.385 2008.07.20 - TrendMicro 8.700.0.1004 2008.07.21 - VBA32 3.12.8.1 2008.07.21 suspected of Malware-Cryptor.Win32.General.2 VirusBuster 4.5.11.0 2008.07.21 - Webwasher-Gateway 6.6.2 2008.07.21 -
The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.
On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.
It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.
Update 10:00 AM Belgian time:
The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/
So, I’m distracted by a conversation and I open up the UPS tracker attachment and start to click the embedded EXE in winzip and just realize what I’m doing and now I’m not sure whether I launched the bastard or not. I immediately pull the ethernet cable so nothing can phone out of the windows laptop, and I’ve searched the file system for all the files you mention above and search the registry for ‘odessa.bin’ or ‘.ru/’. Everything comes back nil, but I’m not sure. Does this trojan pick random names/locations? Is there a more thorough way to scan for it’s presence?
I run AVG-Free and it doesn’t detect this variant as your previous post mentioned.
I so wish I had finished moving my last windoze image to a VM.
I received the UPS_INVOICE_978172 file as an email attachment at an inbox email account. I use a mac Pismo with 3 partitions. I use my OS9 partition as the download site to help keep my OSX partition clean.
Because I use UPS a lot I opened the attachment without thinking and when I saw it was a PC file (.exe) and it opened up in FLV format I knew something was wrong.
I rebooted into my OS9 parttion and did a search and found there was an invisible folder with three files inside that wouldn’t allow itself to be trashed. I went to my archives and retrieved an old app called Disk Tools which has cool function of showing all invisible stuff.
I highlighted the folder and files and trashed them, emptied the desktop trash and did another global search…the files and folder were gone. Since I don’t use my OS9 for surfing and the OSX is an independent partition I feel safe all is well.
Please, publish some MD5 or SHA1 hashes for reference in the future, so that people can identify (at least some) samples, and AV companies can find the samples in their collection.
i also opened this file and have updated Norton and run a system scan..
How can i check i have erased this virus?
Steve
Can anyone provide the un-obfuscated url (or IP) that it tries connecting to? We would like to identify if anyone on our network has executed the trojan.
Thanks,
Another Steve
can someone provide the un-obfuscated url (or IP) that it tries connecting to? We would like to determine if anyone on our network has run the trojan.
Thanks,
Another Steve
@Steve2: Check your mailbox. Hope ity helps.
If the user logged in but only had limited or restricted access if they open the zip file would it be accurate to say it would be “controlled” and unable to install itself because of the user privileges?
How would you best make use of the MD5 to identify whether or not that is the case?
How do I scan and remove this infection? I use TrendMicro, which, according to http://www.virustotal.com doesn’t recognize the UPS Tracking Number trojan. Are my only options to (a) wait on TrendMicro or (b) purchase/download another product?
MX Lab is not into the virus/trojan removal business but focusing on avoiding infections by determing and stopping a virus or trojan when it emerges and not allowing potential threats to get on your systems.
But for everyone who is infected here are some online resources with removal instructions or software for download to scan your systems. The information is published and provided “as is”.
http://www.antiviruses123.com/antivirus/antivirus_1493.html
http://www.spywareterminator.com/item/23134/TrojanSpyZbottv.html
http://www.malwarebytes.org/mbam.php
http://www.pctools.com/spyware-doctor/
Feel free to Google around with terms ‘how to remove Trojan.Spy.ZBot’ for additional information.
From different forums and blogs I can notice that this virus is infecting computers quite a lot.
Our general recommendation is when you receive emails with attachments you should take extra care. Even if you have an up-to-date anti virus engine. If your anti virus engine doesn’t has de latest virus definition for the virus or trojan your computer gets infected.
Do not simply click on the attachment, .exe or .zip. Take a look at the contents, the sender, the way the email is constructed (does it contains a company logo, legal disclaimer,… ) and so on. If it is suspicious leave the email alone or delete it.
Major companies, like UPS, PayPal, eBay, and others, do not communicate in the way that viruses, phishing, scams and spam are distributed. If you take extra care looking at the email you could identify suspicious emails quite fast.
@SJL: Yes, you can wait for a new virus definition update of your TrendMicro and scan your computer. You can also try to download a special piece of software from the above links or try to remove the trojan. If you are already infected you could help TrendMicro by uploading the file to their detection labs if they provide such an tool on their web site
@JD: If a user has rights to run an executable than you could have a virus infection on that computer. If you want to have protection against viruses based on user privileges you should configure the rights so that no executables can be run iby this user. This will avoid that this user will accidentaly runs an exe that is in fact a virus or trojan.
Could you also send me the un-obfuscated url (or IP)?
thanks
Mike
does everyone get this virus through email?
Pingback: Return of the Mack « the atomic punk
i hope will get rid of viruses in the near future
I clicked on the Zip file (I hit Open instead of Save) but didn’t open the EXE file inside. Am I still at risk of being infected?
Pingback: It’s KIM ONG dot com. » Blog Archive » Virus Affecting Your Office E-Mail
Has the UPS virus been updated on Symantec Norton Antivirus as yet?
I opened the email accidentally whilst distracted (awaiting a few parcels also) but i think i stopped and closed the window as soon as i thought!!
I have run a Norton full scan and it does not show any virus but i see that Norton does not detect it so far..
I telephoned the Symantec help desk and they are trying to charge me $69 to clean and check my computer.
Just FYI, BD 11.0.x (aka 2008) picked it up just fine on my end. I know you’re using the freebie version but that’s really outdated – just a head’s up. Tested with IS 2008. If anyone needs to buy one google for bitdefender; found a really cheap ad on there that (gasp) was legit…
Symantec still sucks – I have an admin buddy who is having a couple of his PC’s affected by this….24-48 hour response windows for AV defs on crappy heuristics FTW! GJ Symantec!
To correct auto icon on previous post:
(aka 2 0 0 8 ) – bitdefender 2008 family line.
I succeeded in removing it by using this software
http://www.simplysup.com/tremover/download.html
Does anyone know if an variant of the UPS Tracking virus is embedding copies of itself in user files or are we safe to back-up user files.. say word docs.. before re-imaging of client desktops?
My Kaspersky stripped the attachment from my e mail as soon as it hit my inbox.
When did tracking number emails start using attachments? No one should fall for this mess.
So far this is the only way to remove the UPS virus. Follow the given link and do as instructed to fix UPS virus.
http://support.bicester-computers.com/showthread.php?t=18
No that doesn’t work either, I’ve tried it step by step. I’ve tried so many things so far and nothing is working.
Hey there.
I’ve got 4 of my users so far who have opened up the .ZIP attachment and tried the .exe
The computers have shut down (proper windows shutdown) on their own and then started up again, without the user instigating any of that.
I’m currently trying to find out how many machines have been infected. I’m using Symantec across the network.
Beh. Stupid virus makers.
Stupider users.
I’ve been blocking/quarantining all executable & compressed files in emails for several years — 8 years since any malware has hit my network. I recommend all admins do the same. Some users may complain initially, but it saves the company money & productivity in the long run.
Lots more information here about the latest variation which claims to be from customs (or US customs in some cases):
http://veroblog.wordpress.com/2008/07/24/ups_invoice-email-trojan-variant-claims-to-be-from-customs-service/
Further links in that post to previous versions of this malware with MD5 hashes for comparison.
A client was infected a week ago, so I imagine this was the varietion that was the payload. I have followed the suggestions about how to remove the virus, but in his case, the virus also kept him from logging into Windows XP. We removed his hard drive and ran it as a slave on two other computers. On Tuesday when AVG was not rated as detecting the virus, it detected two Trojans, but did not fix the log in problem.
We scanned the HD as a slave on Wednesday with Trojan Remover which supposedly had worked for another computer, and on Friday with AVG which was supposed to detect the virus at that point. We still were not able to login to Windows. I finally moved the data to another computer, but my client would still like to fix the problem without reformatting. Some posts on other websites suggest a damaged userinit.exe file would cause this problem. Has anyone else seen this problem.
This is a viscous virus,
A friend has been infected by this and has caused major issues,
So far, from what has been understood, he accidently opened the file and did experiecend a system reboot shorlty after.
paniced, but once the system resumed he realised software was not running, windows os booted no problem, but all applcations failed to boot.
After some annoyance he tried rebooting this time, NTLDR was missing and required me to restore the boot sector with boot usb – lots of info on the internet is available for this!
after doing this booted the system ran norton, ran spybot and it all apperared to be okay.
gave him back his PC and now it reboots and loops, asking him to install some other antivirus software causing major issues, i need fix this soon as possible please help!
I use OS/2 am I still vulnerable to this?
I received this one email, on to two computers.
both had AVG installed.
the first only showed the attachment, let me open it, the attached zip)
then I opened the inside doc file, wanting to watch AVG catch it and show me how good it is.
then, after it opened it, and infected my computer, “after” it infected my computer, it then said there was threat activity, showing me places that were suspect.
the second computer, downloaded the email, and netscape showed that AVG had already removed the attachment to the vault. no problems at all.
except the first computer is my notebook
the attached files are mainly .sys files
one of which I saw was hid something
i moved files to vault, rather than heal them
and now i have no keyboad, no touch pad, no usb for a mouse
and the ethernet jack is disabled as i would have turned it off, using my wireless
can’t get to anything at all on it
and I AM SUCH A DILL. hates self
Nice news. Good side.
I just got this email with an attachment found it bit suspicious so googled and find this website..Thanks for the info…. This is how my message looked
UPS Tracking Number 2657412.
UPS Manager Liza Fitch support@ups.com
Sent: Thu 1/14/2010 8:21 PM
To: myemail
UPS_INVOICE_NR76234.zip
Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.