UPS Tracking number trojan – another variant and Hallmark e-card
July 23, 2008 5 Comments
There is a new variant of the UPS Tracking number trojan on route. The subject is now “[RE] UPS Tracking Number 7056968807″ but the contents remains the same. The URL that is used by the trojan is slightly different, the host remails the same, the folder structure and the .bin file on the site is different: http://***********.ru/offshore/denis.bin. The number in the subject and file can be random.
The new variant is detected by 13 of the 35 anti virus engines at Virus Total. The MD5 hash is 488d34cd86e252abca560416413a595d.
Also, if you receive an Hallmark E-Card as attachment it’s also another variant of a Trojan-Dropper.Win32 also known as W32/P2Pworm.E.worm or Trojan.Delf.Inject.F. The chances for infection are much less, 24 of the 35 engines provide protection, so there’s a good chance that it’s captured.
When reading the comments on this blog and also on other resources and web site, I am amazed how many people have double clicked the attachment and have indeed infected their computer.
Now, a very simple tip for the future that is also mentioned on some other web sites as well is don’t open attachments without checking the content and senders first. Handle each email with attachments carefully and don’t start to extract them and click on executables and files with exotic extensions.
Large companies like UPS, Hallmark and others don’t send you an executable in a zip file. So this is something that you should be aware of. This is the first “red light”.
UPS tracking is done online on their web site and after all, think about it, a message stating that a delivery from July the 1st can’t be delivered while we are in fact July 23 is not a very good UPS service, right?
For Hallmark e-cards you also need to visit their web site to get your lovely e-card.
Following this simple guideline can avoid troubles of getting an infected computer. This applies for everyone. If you work from home, you are an individual, you are in a business environment, it’s a good tip for everyone.
Now, if you have a business with employees and multiple workstations, servers and computers and you have an infection on your network then you might ask yourself if your anti virus protection is up to the task of providing protection after all. It appears that it is not.
You are missing a good protection on the internet perimeter that is capable of responding faster to email based threats like viruses and trojans.
In that case, let me promote my company for once, contact MX Lab, get a 15 day trial of our zero hour anti virus and anti spam security services and notice the difference.
That is us just received another of these e-mails this morning on another computer.
It has got past our B.T. Business Virus checker this time although in the previous attempt it was detected and deleted.
United Parcel UPS Tracking Number 7937399669 so it is still very active.
Bullguard did not detect the original attempt or even seems able to remove it so far.
We have tried several products and followed instructions religiously to remove this virus but at the time of writing one computer is still are infected.
And there is already a new variant so it seems that the UPS trojan will keep on going for a while. Virus Total reports shows that 5 of the 35 engines detect the newer version.
So far this is the only way to remove the UPS virus. Follow the given link and do as instructed to fix UPS virus.
http://support.bicester-computers.com/showthread.php?t=18
The version one of my users got tries to block running the SDFix.exe archive. Renamed it to SDFix2.exe and it extracted.
A new variant seems to have appeared. Got this to a users mailbox this morning. Attachment was named E-ticket_N7399294.zip. Inside the zip is a file “E-ticket_N7399294_and_Invoice_for_N73992943442.exe”
From: Tara Lloyd” US Airways [mailto:okvwgh@bolderstaffing.com]
Sent: Friday, July 25, 2008 10:31 AM
To: [removed]
Subject: Online order for airplane ticket N182416
Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website. Your account has been created:
Your login: [removed - was same as recipient's username]
Your password: pass5OB6
Your credit card has been charged for $456.08.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Tara Lloyd
US Airways