“Parcel requires declaration” virus

July 24, 2008 by mxlab 5 Comments

The UPS Trojan has changed its characteristics but the general concept remains the same. An email that is sent from the customs regarding a parcel that is awaiting delivery for you. Attached a .zip file with malware.

The email comes with one of these subject lines:

Your parcel is at the customs office
Parcel requires declaration
Customs, please read
Customs – We have received a percel for you

The contents of the email:

Hello,
We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.
Kind regards,
Aileen Solis
Your Customs Service

The email has the Bill_Tax.zip file attached with inside the archive Bill_Tax___________________________N89798742344.exe which is the same ZBot trojan. Virus Total report. Only 3 engines detect this one so don’t open the file if you receive the email!

Filed under Viruses Tagged with , , , , ,

5 Responses to “Parcel requires declaration” virus

  1. Catherine Christofferson says:
    July 24, 2008 at 9:29 pm

    Got 2 emails with this virus today.

    Would be glad to forward you the email if you want…

    —— Forwarded Message
    From: Customs Service
    Date: Thu, 24 Jul 2008 10:40:39 -0800
    To:
    Subject: Parcel requires declaration

    Dear Sirs,

    We have received a parcel for you, sent from France on July 9. Please fill
    out the customs declaration attached to this message and send it to us by
    mail or fax. The address and the fax number are at the bottom of the
    declaration form.

    Kind regards,
    Maritza Patton
    Your Customs Service

    Reply
  2. mxlab says:
    July 24, 2008 at 9:43 pm

    I have enough of these emails intercepted so if I need to analyse one I got plenty of choice. Thanks for the offer.

    Reply
  3. Joshua Erdman says:
    July 24, 2008 at 10:14 pm

    Several of our clietns have recieved these emails, only two PCs have been inffected. You previously stated that only 3 AV engines have detected this. What were they. Currenlty most of our clietns are using Symantec AV.

    What would you rate as the top three AV engines?

    Reply
  4. mxlab says:
    July 24, 2008 at 10:36 pm

    There is a permalink in the article to Virus Total. But here they are: eSafe, Sophos and VBA32 detected the trojan based on a file scan of 22:32 PM.

    It’s quite difficult to give a top three on AV engines. It all comes down to how the AV engine performs on overhead and load on the computer, speed of definiton updates and other specific requirements for a client. Each client also has a different expectation pattern of such software. When I like AV engine X, some else could hate or had troubles with it in the past.

    A few days ago someone told me that Trend Micro was horrible and slowed down his computer a lot while I provide Trend Micro OfficeScan for clients and have copy running on a Pentium III 1Ghz, 512 MB, Windows XP (a very old computer) without troubles. It’s possible that he had a different version but this gives you an idea. A top three for me is not a top thee for you and vice versa.

    Reply
  5. Chad says:
    July 24, 2008 at 10:44 pm

    Got it today at 2:07 PM from “Customs Service”

    Good day,

    We have received a parcel for you, sent from France on July 9. Please fill out the
    customs declaration attached to this message and send it to us by mail or fax. The
    address and the fax number are at the bottom of the declaration form.

    Kind regards,
    Lakisha Mooney
    Your Customs Service

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>