New UPS trojan variant: Delivery problems
January 11, 2009 8 Comments
A new UPS trojan variant is being detected called Mal/Zbot-G by Sophos and VirTool:Win32/Obfuscator.CT by Microsoft.
MX Lab was the first to send and analyse the file by Total Virus. Only 2 of the 36 AV engines at Virus Total did detect the trojan at the time of writing. So be aware that this email contains malware so don’t open the attachment.
The senders email addres is: United Postal Service <tracking@ups.com>.
The subject is: Delivery problems
The content of the body:
Hello!
Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office.
Your UPS Support Team
The file attached is names UPSInv.zip and the ZIP archive contains UPSInv.exe.
Please note that the senders email address, the subject, body and attached file names can change.
This is the Trojan-Spy.Zbot.YETH, which is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.
Local files created:
%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll
%System%\twex.exe
Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.
Virus Total permlink and MD5 hash: 61a1617ddb5c5bdb495b29bd1719e965.
Pingback: Northwest Airlines email contains a trojan « mxlab - all about anti virus and anti spam
Pingback: New UPS trojan detected: TrojanSpy.ZBot.DGI « mxlab - all about anti virus and anti spam
Hi, We use only a Mac. Will this infect my system?
thanks
Nope,
your mac won’t be infected by this, since it’s an exe file, which doesn’t work on mac.
however, you should still avoid opening such files.
most of the time it’s very easy to find out about a certain email just by searching for contents of it on google.
for now we mac users are safe regarding viruses and other malware. but as the apple community grows, it’s just a question of time til some a-hole finds a way to hack the system.
I opened this file when i recieved an E Mail. What should I do?
well if u did double click the .exe i think change ur bank data (if u use online banking) and keep on eye on ur account
run every virus scanner possible and maybe get ad-aware and run it
im not a pro, but that is what i wud do to start with
or reinstall ur backup (wich i hope u have)
and never again run any .exe from an email address that doesnt make sense
specially if u didnt send anything by UPS, or if it doesnt give a UPS persons name
I receuved the bloody email an hour ago..n im in holland O.o we dont use UPS so it didnt made sense to me to begin with
also when u do receive email u dont trust look them up on google and see if it is a trojan/malware or any other kind of virus
I accidentally downloaded this virus and after realizing it didn’t open I thought it might be fake and a virus so I looked it up on google and found this. What do I do now?
Oddly enough, this message from UPS comes into my mailbox
several days after a successful delivery from Canada Post.
I am going to notify Canada Post about this because I wonder
if there is some way UPS is poaching Canada Post’s expedited
delivery records or if someone in Canada Post is leaking
the information.