FedEx Tracking number trojan
August 9, 2008 19 Comments
MX Lab has intercepted a few messages with the subject “[NO-REPLY] FedEx Tracking Number 26901603″ with an attached trojan. After the UPS Tracking trojan campaign it’s now time to use FedEx.
The content of the email has the same characteristics as the UPS trojan:
Unfortunately we were not able to deliver postal package you sent on July the 31 in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office
Your FedEx
The email has attached the zip archive named FedEx_Invoice.zip with the executable FedEx_Invoice_N882874421.exe. The “tracking number” in the subject and file can change of course.
Virus Total results and MD5: da90a0c3000eb90ebc9394e5568c5c9a. 7 of the 36 anti virus engines detect the trojan so be carefull when you receive the message.
Thanks for this info. I’ve just received a message with almost identical wording. It has a different number and date and APPEARS to come from a ‘Wallace Ratliff’. It bears the ‘invoice’ attachment and a link to ‘FEDEX.com’. I mailed FEDEX for advice … no response so far. It’s good to have my suspicions confirmed. Thanks for the service.
Martin
I received one of these this morning. It was sent to an email address that I recently used when dealing with a large online hotel booking company and was not a result of random email generation by the phishers (or was an astronomically high co-incidence level). Most phishing that I receive is through randomly generated domain email addresses that are forwarded to my real mail accounts – these I consider to be normal background noise and ignore but becuse this was a ‘valid’ address I went googling and found your excellent site. Should I be informing this company that I received this trojan or is this email address likely to have been intercepted between my pc and their website ? (rather than through access to their servers).
Thanks,
Mark
I received this email today, and although I right clicked on the zip file, and chose ‘Scan for Viruses’ which came up clean, when I unzipped and double clicked on the fille my computer shot down and rebooted.
Then I got a nasty Trojan or two, some kind of Spyware that I’m still trying to remove.
What’s notable is that there’s what appears to be a ‘Windows’ alert in the lower right coming out of the systray, saying that I should click there to download the recommended Windows tool to remove, but there’s a very suspicious typo in the message!
So who knows what happens next when you download that file.
Anybody have a suggestion for removing this? Symantec so far unsuccesful and gifing me the blue screen of death. I T guy coming tomorrow…
Recieved this today. Had suspiscion obviously because I have not used FEDEX.
Thanks for confirming.
This is my main email address that was attacked. I do not usually recieve scam emails to this address
Yep I got this one too today:
>Unfortunately we were not able to deliver postal package you sent on
>August the 1st in timebecause the recipient’s address is not
>correct.Please print out the invoice copy attached and collect the
>package at our office Your FEDEX.com
I think I’m going to avoid the attached zip file. Mine is called:
NFE676152…zip (38.5 KB)
I had used fedex recently so I can imagine it’s easy to make the mistake.
I received the same email today and just like Mark, I recently used an online travel booking site. Mine was Travelocity. Maybe it’s just a coincidence.
I just received this email as well. Quite obviously a virus. I use an online travel company as well… but honestly who hasn’t? The email they sent it to is my old “public” email so she’s been around the block.
I am seeing this message starting to appear in our spam quarantine boxes. They are being tagged as spam, but we use FEDEX, so I have users inquiring as to whether or not they should be opening it. I know for a fact that NORTON scans the ZIP and deems it clean. There for people using NORTON products should be extra careful.
OK, So how do I get rid of it?
Your comment says “7 of 36″ detct the virus, without mentioning which 7, and you don’t mention which of the 7, if any, get rid of it.
I have it, having recently used FedEx to send a very important package, and clicked on the ^*)_)+&%!!~ file before I realized it was an EXE file. Stupid, I know, but there you are!
My virus scanner did NOT detect the virus.
One of the things the virus does is disable TASKMAN somehow, so I can’t shut it down easily.
Thanks!
The link to Virus Total gives you an overview of the analysis of the submitted virus/trojan and a list of anti virus engines that detect the virus with the virus name to it. Your can follow the Virus Total link that is placed in the blog article.
MX Lab does not test the anti virus engines against new virus outbreaks to see which anti virus engines removes the virus. MX Lab has no direct connection, wether commercial or any other way, with the listed anti virus vendors.
At MX Lab our mission is to detect and intercept before the message with malware gets on to your mail server, network or computer.
If your computer is infected you might check out the other postings and comments from visitors on this blog regarding the FedEx trojan. Some visitors have posted links to software or guides on how to remove the malware. However, we detected an new outbreak so it is possible that you just received the latest variant. It’s possible that some removal guides won’t be effective for this new variant
I also received this FedEx thing today (8/20) at two of my e-mail addresses. The name of the sender was different, but both zip files contained the same exe file: WD6128922.exe
Unfortunately, I clicked on the exe file without thinking. My virus software (Panda) did not detect a threat. The program appears the same as the UPS Trojan which installs malware — which does the following:
The malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.
Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus – AntivirusXP2008 respectively.
I found that restoring my system to the previous day cleared up a lot of the problem and running Malwarebyte’s Anti-Malware scan picked up what the system restore did not.
hey dude I like your post really
I received my email this morning at 4:10 a.m. (not being able to deliver a package by August 1…) Mine was sent by Seth Mercer and the Fedex Tracking N 4942962183. I have not used any travel websites and do not use Fedex. I just deleted it. Thank you all for putting these messages out there. I assumed it was a virus, but I like the confirmation.
I got it today. I was suspicious although I am expecting some packages and sent one out yesterday. First off, if FedEx wanted to contact me via email, there should be a logo heading on the email. The spam that was send to me was just too informal. And if they want to send me a notification, why on earth is a zip file necessary? But thanks for confirming with me about this spam, I know I’m not the only one that ‘has a package not delivered’
I also recieved the identical mail from a Blache Robison the email address was iykr@bonitahealthcentre.com. I did not open the zip zttachement and will now delete it
Hi,
We also have received the Fedex “spams”. We’re using Mac, are we as vulnerable as Microsoft users ?
Thanks for the good job.
Thibaut
“We also have received the Fedex “spams”. We’re using Mac, are we as vulnerable as Microsoft users ?”
No, these are viruses and trojans for Windows operating systems like XP, Vista. MacOS X, other UNix or Linux based OS is safe for this one.
However, some people respond to viruses and trojans like ‘get Linux’ or ‘get MacOS X’. They think that by using another OS besides Windows is safe regarding viruses and trojans.
This way of thinking is quite wrong because there are also viruses and trojans, much less of course, designed for running on Linux, MacOS X,.. but they simply don’t get updated and distributed like a Windows virus/trojan version. This platform is much larger and more interesting for malware writers.
Many Macs now run software that emulates windows, or creates a virtual pc to run windows aps. Will this virus work on Mac versions of windows?
When you use virtualisation, like Parallels for ex, you are in fact creating a true Windows environment on top of MacOS X. It works like the real Windows on a pc desktop/laptop or when booted using Bootcamp. So yes, viruses will work in this case.