FedEx Tracking number trojan


MX Lab has intercepted a few messages with the subject “[NO-REPLY] FedEx Tracking Number 26901603″ with an attached trojan. After the UPS Tracking trojan campaign it’s now time to use FedEx.

The content of the email has the same characteristics as the UPS trojan:

Unfortunately we were not able to deliver postal package you sent on July the 31 in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

Your FedEx

The email has attached the zip archive named FedEx_Invoice.zip with the executable FedEx_Invoice_N882874421.exe. The “tracking number” in the subject and file can change of course.

Virus Total results and MD5: da90a0c3000eb90ebc9394e5568c5c9a. 7 of the 36 anti virus engines detect the trojan so be carefull when you receive the message.

30 Responses to FedEx Tracking number trojan

  1. Martin says:

    Thanks for this info. I’ve just received a message with almost identical wording. It has a different number and date and APPEARS to come from a ‘Wallace Ratliff’. It bears the ‘invoice’ attachment and a link to ‘FEDEX.com’. I mailed FEDEX for advice … no response so far. It’s good to have my suspicions confirmed. Thanks for the service.

    Martin

  2. Mark Conway says:

    I received one of these this morning. It was sent to an email address that I recently used when dealing with a large online hotel booking company and was not a result of random email generation by the phishers (or was an astronomically high co-incidence level). Most phishing that I receive is through randomly generated domain email addresses that are forwarded to my real mail accounts – these I consider to be normal background noise and ignore but becuse this was a ‘valid’ address I went googling and found your excellent site. Should I be informing this company that I received this trojan or is this email address likely to have been intercepted between my pc and their website ? (rather than through access to their servers).

    Thanks,

    Mark

  3. Brett says:

    I received this email today, and although I right clicked on the zip file, and chose ‘Scan for Viruses’ which came up clean, when I unzipped and double clicked on the fille my computer shot down and rebooted.

    Then I got a nasty Trojan or two, some kind of Spyware that I’m still trying to remove.

    What’s notable is that there’s what appears to be a ‘Windows’ alert in the lower right coming out of the systray, saying that I should click there to download the recommended Windows tool to remove, but there’s a very suspicious typo in the message!

    So who knows what happens next when you download that file.

    Anybody have a suggestion for removing this? Symantec so far unsuccesful and gifing me the blue screen of death. I T guy coming tomorrow…

  4. John says:

    Recieved this today. Had suspiscion obviously because I have not used FEDEX.

    Thanks for confirming.

    This is my main email address that was attacked. I do not usually recieve scam emails to this address

  5. Alan says:

    Yep I got this one too today:

    >Unfortunately we were not able to deliver postal package you sent on
    >August the 1st in timebecause the recipient’s address is not
    >correct.Please print out the invoice copy attached and collect the
    >package at our office Your FEDEX.com

    I think I’m going to avoid the attached zip file. Mine is called:
    NFE676152…zip (38.5 KB)

    I had used fedex recently so I can imagine it’s easy to make the mistake.

  6. Al says:

    I received the same email today and just like Mark, I recently used an online travel booking site. Mine was Travelocity. Maybe it’s just a coincidence.

  7. I just received this email as well. Quite obviously a virus. I use an online travel company as well… but honestly who hasn’t? The email they sent it to is my old “public” email so she’s been around the block.

  8. I am seeing this message starting to appear in our spam quarantine boxes. They are being tagged as spam, but we use FEDEX, so I have users inquiring as to whether or not they should be opening it. I know for a fact that NORTON scans the ZIP and deems it clean. There for people using NORTON products should be extra careful.

  9. Mike says:

    OK, So how do I get rid of it?

    Your comment says “7 of 36″ detct the virus, without mentioning which 7, and you don’t mention which of the 7, if any, get rid of it.

    I have it, having recently used FedEx to send a very important package, and clicked on the ^*)_)+&%!!~ file before I realized it was an EXE file. Stupid, I know, but there you are!

    My virus scanner did NOT detect the virus.

    One of the things the virus does is disable TASKMAN somehow, so I can’t shut it down easily.

    Thanks!

  10. mxlab says:

    The link to Virus Total gives you an overview of the analysis of the submitted virus/trojan and a list of anti virus engines that detect the virus with the virus name to it. Your can follow the Virus Total link that is placed in the blog article.

    MX Lab does not test the anti virus engines against new virus outbreaks to see which anti virus engines removes the virus. MX Lab has no direct connection, wether commercial or any other way, with the listed anti virus vendors.

    At MX Lab our mission is to detect and intercept before the message with malware gets on to your mail server, network or computer.

    If your computer is infected you might check out the other postings and comments from visitors on this blog regarding the FedEx trojan. Some visitors have posted links to software or guides on how to remove the malware. However, we detected an new outbreak so it is possible that you just received the latest variant. It’s possible that some removal guides won’t be effective for this new variant

  11. Mark S says:

    I also received this FedEx thing today (8/20) at two of my e-mail addresses. The name of the sender was different, but both zip files contained the same exe file: WD6128922.exe

    Unfortunately, I clicked on the exe file without thinking. My virus software (Panda) did not detect a threat. The program appears the same as the UPS Trojan which installs malware — which does the following:

    The malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

    Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus – AntivirusXP2008 respectively.

    I found that restoring my system to the previous day cleared up a lot of the problem and running Malwarebyte’s Anti-Malware scan picked up what the system restore did not.

  12. hey dude I like your post really

  13. Nadine Cornell says:

    I received my email this morning at 4:10 a.m. (not being able to deliver a package by August 1…) Mine was sent by Seth Mercer and the Fedex Tracking N 4942962183. I have not used any travel websites and do not use Fedex. I just deleted it. Thank you all for putting these messages out there. I assumed it was a virus, but I like the confirmation.

  14. Charlene says:

    I got it today. I was suspicious although I am expecting some packages and sent one out yesterday. First off, if FedEx wanted to contact me via email, there should be a logo heading on the email. The spam that was send to me was just too informal. And if they want to send me a notification, why on earth is a zip file necessary? But thanks for confirming with me about this spam, I know I’m not the only one that ‘has a package not delivered’ ;)

    • Gee Gee says:

      In reply to Charlene:

      I just wanted to add to your theory about a logo heading on the email. YOU CAN NOT expect that to be the case. I also recently recieved this email, not one but twice in the recent past. The first with no logo, the second with a Heading logo for USPS, it sent my computer into a continious loop, that I was unable to get past. I had to take it to the shop. And just after opening them I recieved two disturbing emails of Islamic propaganda. (Too wierd for me.)
      Just today I recieved one from Fed Ex.
      After fearing the loss of a years worth of work on a Heritage Cook Book, I learned not to open those things.
      The Post Office advised me that in an actual situation, there would have been a notice in my mail box or on the door of my home if there were indeed a package that couldn’t be delivered for some reason.

  15. Bob Brown says:

    I also recieved the identical mail from a Blache Robison the email address was iykr@bonitahealthcentre.com. I did not open the zip zttachement and will now delete it

  16. tibo says:

    Hi,

    We also have received the Fedex “spams”. We’re using Mac, are we as vulnerable as Microsoft users ?

    Thanks for the good job.

    Thibaut

  17. mxlab says:

    “We also have received the Fedex “spams”. We’re using Mac, are we as vulnerable as Microsoft users ?”

    No, these are viruses and trojans for Windows operating systems like XP, Vista. MacOS X, other UNix or Linux based OS is safe for this one.

    However, some people respond to viruses and trojans like ‘get Linux’ or ‘get MacOS X’. They think that by using another OS besides Windows is safe regarding viruses and trojans.

    This way of thinking is quite wrong because there are also viruses and trojans, much less of course, designed for running on Linux, MacOS X,.. but they simply don’t get updated and distributed like a Windows virus/trojan version. This platform is much larger and more interesting for malware writers.

  18. mxlab says:

    When you use virtualisation, like Parallels for ex, you are in fact creating a true Windows environment on top of MacOS X. It works like the real Windows on a pc desktop/laptop or when booted using Bootcamp. So yes, viruses will work in this case.

  19. Randy says:

    same wording almost to the letter, and I am waiting foe a package.
    Other than the 30 other “golfbal” e-mail addresses in the bcc I was about to open it.
    and since then I have got this email a couple of times.

  20. Bernhard Hiller says:

    And now they do the next step: the attachment already reads
    [Virus entfernt] FEDEXInvoice….zip
    [Virus entfernt] is German for [Virus removed], quite appropriate for sending a virus to a German email adress.
    Furthermore, the hijacked computer sending the email (directly, without a “normal” email server inbetween) pretends to the receiving computer that its name is fedex.com:
    from [125.170.6.149] (helo=fedex.com)
    but the IP adress belongs to a Japanese network.

  21. Dadzie says:

    I got the fedex spam 2day. Unfortunately i opened the zip file and now i cant open any app on my PC. I am desperate pls help!

  22. p says:

    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 7 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    © FedEx 1995-2011

    • I recieved the same e-mail. The parcel was sent your home address and it will arrive in 7 days, My anti virus deleted the attachment before I got to the e-mail.

  23. Anna Whitmore says:

    I’ve received like 20+ of them. I can’t stop them!!!

  24. William says:

    I am having to delete like 4 or 5 of these a day from my yahoo spam box. Sometimes more. LOL. I get them from every delivery company. UPS, FedEx, and DHL.

    I had just recently sent something, too. But it was via USPS…not UPS. The email was short, full of grammatical and spelling errors. Had that stupid SIR/MADAM heading which no company would use.

    Zip file? Hah! I don’t think so!

    But, my, they’re persistent buggers.

  25. tom says:

    i’m a dumbass i opened it on my windows vista and now have the dreaded blue screen ,before it turned blue i had a hard drive failure message any help fixing this is appreciated

  26. F says:

    After sending an email to a catalog company requesting TRACKING (I think someone homed in on that word) of the order I hadn’t received it, I have received no fewer than 20 of these emails, sometimes three a day. The ludicrous part of it is, they all have wording like “Postal Service” and “our post office” – and yet have the FedEx logo on them. And written obviously by someone for whom English is not a first language. I just want to know how to stop them, they are really annoying. And invasive. Does anyone really fall for this stuff??
    I did finally get my order, by the way. It was sitting at the post office.

Follow

Get every new post delivered to your Inbox.

Join 315 other followers

%d bloggers like this: