New UPS trojan detected: TrojanSpy.ZBot.DGI

Posting updated on 10 March 2009. Read the new information at the end of this posting.

MX Lab intercepted a  few messages, with the zero hour anti virus system, that claim that the delivery of the postal package that is handled by UPS has failed due to an incorrect address. At the time of writing, 03.02.2009 22:55:45 (CET), only 7 of the 38 anti virus engines detect this new variant.

The trojan is named TrojanSpy.ZBot.DGI (VirusBuster), Trojan-Dropper.Delf (Ikarus) or VirTool:Win32/DelfInject.gen!J (Microsoft).

The from address is spoofed and contains “United Postal Service <tracking@ups.com>”.

The message contains the following body content:

Hello!

Sorry, we were not able to deliver postal package you sent on February the 23th in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The trojan hides itself inside the file Invoice_8612112.exe once you have extracted the ZIP archive Invoice_8612112.zip. Names and numbers may vary.

It has the same characteristics as in one of our previous blog posts with the difference that the connection to the remote host 91.211.65.33 now tries to get /ejik/admin.bin and /ejik/hot.php.

Virus Total permlink and MD5: a3d1a160e6ce8ca4c2b4421731e549c2.

Update 10 March 2009: A new variant is being distributed. The attached file is named UPS_ID.zip and contains the trojan UPS_ID.exe.

Virus Total permlink and MD5: b5e44647bc1f08c4d7f32fc933db1ac6.