Email with DHL tracking number contains W32/Trojan3.AKC trojan


MX Lab intercepted a  few messages that claim that the delivery of the postal package that is handled by DHL has failed due to an incorrect recipient address.

The subject contains “DHL Tracking number #05CME637072VHBD”, the attachment is named DHL_HELP.zip and the body of the email contains the following message:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Christy Block,

Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.

Virus Total permlink and MD5: 469585cf90d45d43566aed92c21807ed.

50 Responses to Email with DHL tracking number contains W32/Trojan3.AKC trojan

  1. LT says:

    One of the people I work for forwarded me this message and asked me to find out what it was. I stupidly opened the attachment. How bad is it and what can I do to get rid of it?

  2. kr says:

    I too got this email. We use DHL often in our company, so i thought nothing of getting an email about a package. I started to unzip the DHL.zip file, when all of a sudden i got a message about a change in my registry. I quickly realized this was a trojan of some sort and deleted it. However, I’ve been getting warnings all day about threats and quarantines that have failed. Anybody got any further info?

    • Renz says:

      Hi..

      I had the same problem, i back up my data and format my hard drive and install a new operating system.

      Renz

  3. Tmj says:

    I too got this email today and we use DHL so stupidly :( I opened it also. I stopped the download but it was too late. I ran a scan disk and it alerted me of the virus(a bit too late)
    I read on the internet somethings are not recoverable from this virus like excel spread sheets. I guess I will know the damage next tuesday when out IT guy comes in. we are holding our breath it did not reach our server!!

  4. Pingback: Top Posts « WordPress.com

  5. Fred G says:

    Hi,

    My company just got the same email. Spread the word and not the virus, don’t open the attachment!!!!!

  6. Ash Blue says:

    We also got the email, but I was suspicious of it and decided to research it first and found you guys, thanks for the save!

  7. hmm says:

    lol i got this in an email, i thought ” dhl? i dont use them or i havent ever ” so i clicked the attachment for lolz, and it said ” this is infected with an unknown virus so you are unable to open the file ” go my anti virus ftw

  8. Jax says:

    I have had a few of these but good for my antivirus told me straight. What I want to know is why DHL isn’t getting to the bottom of this. Bad news for DHL. I would actually like to forward email to them…I shall phone them tomorrow.

  9. paul says:

    I to got it today but thanks to Mc afee when i open the mail it just reported it has already deleted it.

  10. Mark says:

    I just got the DHL express e-mail version with the .zip file.

  11. Andy Janssen says:

    Just another reason that we need to stop sending attachments at all, and only use trusted websites / ftp sites to trade data back and forth.

  12. kmv says:

    Is this Virus Harmful and what is the impact of it.

  13. mxlab says:

    Viruses, trojans and malware are always harmful. Some do little damage while others can destroy key components of your operating system and others will send out spam. It all depends on how the virus is programmed and what features, if I may use this term, it has. The impact can be limited (minor infection, easy to clean up the virus) or severe (overwites operating system files, deletes and.or encrypts files, and so on).

    Visit http://blog.mxlab.eu/ and get the latest news on top. This article is in the meantime quite old.

  14. Chris says:

    Thanks for this article. I just received the DHL email – Subject: “DHL Tracking Number 6222258873″ from “shipping @DHL.com” (1/20/10 its still going around) but I was suspicious seeing as how I have no shipments on the way for me. Decided to look it up and now I’m safe. Thanks for this valuable writeup.

    • Jayne says:

      I too have just received this e-mail and ive opened it. The e-mail address though is not mine but was sent to my address. Ive opened the label. Can anyone help please. Thanks

      • Terry Lamb says:

        If you have access to another PC download the ‘Avira Rescue CD ISO’ from http://www.avira.com and create the boot CD.

        start and boot your system from this CD, check the settings to RENAME the infected files found and run a Full Scan of your system.

        This will find them and any others you may have and mark/rename the files with the .xxx extension.

        If you have internet connection on the infected PC, Avira will go and pickup the latest updates for you before you run the scan. It is easy to use, just take a minute to read and set the options before you scan.

  15. klk says:

    Ditto…Thank goodness for this thread which came up when I ‘googled’ DHL Tracking Number as all of a sudden I have been receiving these emails (straight into my SPAM and I have been deleting immediately without opening)…and thought this was strange…never heard of this company before….so thank you for confirming what I had suspected!!
    Cheers

  16. batman says:

    There seems to be a new variant where instead of a parcel being undeliverable there is a voucher to obtain for being a good customer. Needless to say, if one uses DHL often and then the header for the email sender appears to be from a valid email address i.e someone@dhl.co.uk then it is understandable that someone opens it..

    This is quite a difficult set of virus to remove but I have been doing it slowly with various online scanners (BitDefender & F-secure) ; I had avg free, mixed success. Running windows vista – and the virus gets into all sorts of executables. Windows pop up which imply you can protect if you click – but these are the virus too.

    Try: (if you have internet access form the infected pc/laptop) (some can be run in safe mode with networking access option selected)
    1. Run the Microsoft Windows Malicious Software Removal Tool :
    http://www.microsoft.com/security/malwareremove/default.mspx
    2. Download, install, update and run:
    (a) SUPERAntispyware (freeware)
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE (all one string in your browser address field)
    and
    (b) Malwarebytes’ Anti-Malware (freeware).
    http://www.malwarebytes.org/mbam.php
    3. Run this online scan (in safe mode with networking, if possible):
    http://onecare.live.com/site/en-us/center/howsafe.htm
    4. See and follow carefully:
    “Checking for/Help with Spyware, Malware and Hijackware”
    http://blogs.dotnethell.it/vincent/Post_4820.aspx

    If you cannot connect to internet then you can burn a bootable cd (from a non-infected pc) with anti virus software on it – several good sites (search for bootable anti virus cd)

    Good Luck!

  17. Matt says:

    I use a free program called Malwarebytes or something like that. It gets rid of trojans, malware, and browser hijackers.

    Here is there site http://www.malwarebytes.org/mbam.php

    I am not sure if this blog allows links so if you cant see the address type “mbam” without the quotes into Google and it should be the first link after the advertisements.

    I am sure this will help. I had a virus stop me from installing this program as an exe., even in safe mode. If this happens go to the site and it will tell you how to change the extension and install it.

  18. Tom says:

    My mum got this email about 3 days ago. She opened it, and opened the attachment. I came in, read the email, and told her not to go any further, thinking it was just a mistake. We were a bit suspicious because the email address it was sent to wasn’t hers, it was something like ‘rjclarke10@hotmail.com’.

    The next morning, the PC wouldn’t start properly. It said ‘Windows failed to start. Please insert the Windows installation disc or contact the system administrator’, We couldn’t find the disc anywhere, we went to PC World to ask. We were going to buy a new one when my brother searched online and found out about a ‘Trojan Horse’. Then eysterday he formatted the entire hard drive. We lost EVERYTHING.

    I hate this world.

  19. The Lone Stranger says:

    I have the solution to this horrible virus. Go to http://www.apple.com, select any of their machines and proceed to cart. Upon delivery you will enjoy a virus free life.

    • DA says:

      Alternatively just don’t turn your PC on – it’ll still be as useful as a Mac (although it might not make as a pretty a paperweight!)

  20. Terry Lamb says:

    It is a itty you see comments such as these from ‘The Lone Stranger’, I saw a Mac with five viruses the other day, so your day’s of infection free are numbered.

    At least if the Mac users utilised Anti-Virus package fortheir own protection they would not be one of the platforms used to propergating infected Documents and files to Windows based systems.

    As Linus and Mac systems become more popular, their risk increased dramatically.

    Regards,
    terryl

  21. RebelliousUno says:

    This appears to still be going around, though GMail refused to download it from the email server it was sent to.

  22. Dave says:

    Yep,
    I deal with DHL a lot and in fact received a package from them a couple of days ago, so when i received this e’mail it never crossed my mind it might be spurious and clicked it, I am on a work computer with quite good security i think but Symantec didn’t see anything wrong with it so i am unsure if any damage was done or not.
    Anyway to test if i got bitten or not?

  23. Aicis says:

    Just got this email.
    Was clever enough to notice that its not coming from DHL’s email and that documents as these would be sent out as *.pdf files, not archives.
    Looked it up and here i am – approving my concerns.

  24. Aicis says:

    Dave – open your antivirus and do a full system scan

  25. Wille says:

    Thank you for the information. i got an email like this and thought it was about a product i’ve ordered. when i opened the file my anti virus said that it was infected so i googled for DHL virus and fin this. I cant thank you enough.

  26. Meredith says:

    I got an email this morning and was leary because I would normally think they would call and not email….I tend to only give this email addy to those I personally know and wasn’t expecting a package. It also said delivery failed but in the next sentence it said it would be delivery in 5 days as it was being shipped out today…..anyways, I did a google search and found this thread…..I now know that I won’t be opening the attachment…thanks all for the heads up!
    I feel bad for the actual company DHL, because people are always going to be skeptical of them…at first I when I did the search, it just kept taking me to their website….but then I put in that it was an email plus the words “is it safe to open”…Whenever investigating something like this, always do multiple types of searches with different words as my experience goes to show the first results may not be the accurate one!

  27. david f says:

    hi ive had the virus as i was stupid enough to open it! As soon as you do it downloads a program with a number with a symbol of a blue cross which puts up messages saying your computer is infected..but this is also the virus!
    1. close the program which appears to mimick security centre. (it will have a blue cross and appear on the taskbar). Whatever you do IGNORE the request to turn defender off!!! I had to close it three times before it finally stopped popping up.
    2. Run a full system scan immediatly. Delte all infections found.
    3. Search for system32 and appdata and download directories and look for any files that were downloaded/created at the time of the download (assuming you can remeber this of course!)..delete the files found.
    4. Run windows defender and select software explorer to check which programs are running and which autostart. For each program in turn check the date it was created………anything created at the time of the download, disable it…..i found the folliwng files kept cropping up: svchost.exe, dwm,.exe (or something similar), a few others.
    5. Asince then my computer has run as normal…..ive not noticed any files missing or damaged. Except that each time i log on windows tries to load the file dwm.exe but cant (cos ive denied it)………..(an error crops up to this effect) this is a change that it think the virus has made to try to run it when you log on……………..i cant stop that error but at least my computer works as normal and no infections have been found since.

  28. flienswereld says:

    Will this virus infect Mac OS computers? Or just windows computers? My boyfriend fell for this and opened the attachment.

  29. Graham says:

    I recently opened an e-mail from supposedly DHL and was then aware it was a virus. I imediately closed the system down and completely restored the laptop to its original manafactures’ settings using system restore. I then scanned restored system with AVG’s free software and it said no threats were found. Could anyone please confirm if this will of removed any threat from the e-mail? Thanks!!

  30. Dies Irae says:

    Fortunately this seems to have reached the point where the virus is still destructive, but the emails are coming from people with lesser writing skills. Got one today from “DHL express” which had a copyright notice on the bottom attributing the message to United Parcel Service. Glad to know competitors are now getting together to send out viruses.

  31. Ruby Alexa says:

    I’ve got this e-mail directly to my spam! But norton antivirus scanned there’s no virus include. And I wait for my package, so I opened the attachment (zip) and suddenly my laptop become black and BLANK!!! Arrrgghhh

    • Alyce says:

      The same thing happened to me. I had just ordered an item from ebay and when I saw the email I thought it was pertwining to my order and as soon as I opened it I knew I screwed up. I managed to start my “SuperAntiSpyware” scan and about 20 minutes into it the screen went black and windows shut down and restarted itself!! I had to start the scan all over and I keep getting pop-ups saying my RAM is extremely high or something. I just hope I can recover my files and pictures but I have a feeling I lost everything since when I click on “Programs” it is empty and all icons are gone. :(

  32. Stephen Tyler says:

    I to have received emails claiming to be from DHL courier services claiming that i should expect a delivery in a few day and that the delivery details are in an attached folder. It is true that the attached file contains a virus. To what extent of damage will it cause, I don’t know. To defend against this attack, I use Panda Safe Security. If you think you have been infected, you can download the Microsoft Safety Scanner and or the Malicious Software Removal Tool by Microsoft. They have worked for me in the past. Best of Luck to all.

  33. Stephen Tyler says:

    Best advice is to boot into safe mode and run your visur and spyware scanner from there. Most of the time when your system shuts down it will come back up going directly into your windows progerm and if it does, just turn off your computer at the power button, wait about 30 seconds, then turn the power back on. It then should tell you that windows was not shut down properly and give you the option of starting windows normaly or in safe mode. Select safe mode, wait for it to load, then run your scans.

  34. julie says:

    Received that same e-mail today on my Yahoo e-mail. I opened the e-mail, saw a attachment and deleted it all immediately. Just deleted all my cookies and such & now running a full Norton Internet Securities virus scan. Is this e-mail virus based on opening the e-mail or downloading the zip attachment? Please, any feedback is helpful. Thank you!

  35. John says:

    I can’t believe anyone would fall for this. The quality of english in the message is so bad it can’t possibly have come from any genuine business

    Dear Customer!

    Your package has been returned to the DHL office.
    The reason of the return is – Incorrect delivery address of the package!
    Attached to the letter mailing label contains the details of the package delivery.
    You have to print mailing label, and come in the DHL office in order to receive the packages.

    Thank you,
    DHL International

  36. Funso says:

    People… I just got hit ……
    All my office documents on this PC with no single backup……

    This isnt fair…..

    • Robincon says:

      This happened to me. The files and folders were not really deleted but just hidden instead (by the virus). Check properties on the seemingly empty folder and check if it occupies significant disk space. If it does, Those are your files, just hidden. Google how to unhide files hidden by virus.

  37. Hypermiling says:

    I rtoo had this – used Malware Bytes & ComboFix. Now sorted.

  38. Elaine says:

    I too got an email, slight variation as it says it has sent me a tracking number to use,
    “”\”DHL Tracking Services\” <customer.service" <"DHL Tracking Services"
    is the email details
    Luckily I had already had three similar email which landed in spam so deleted this one too. I do get parcels from USA via DHL so could have been duped. Now I just google everything before I open any attachment. Is there a third party system anywhere you can use to accept attachments?
    Cheers for everyone’s emails Comiserations to all the unlucky ones out there.

  39. Elaine says:

    By the way – ALWAYS back up somehwere. External hard drives are so cheap now. Companies (and individuals if you need to) can try one of the Iron Mountain type companies. Your computer backs up everything every night so you loose very little.
    If you are a business or can stand the pain, there are companies out there who can try and retreive stuff for you. I used one in London when my external hardrive got accidentally formatted (is nothing safe!) and for £300+ they got as near as dammit everything back – photos etc. Don’t accept the word of a local ‘computer expert company’ that says nothing can be done – these big professional companies can do wonders (at a price of course)
    best of luck out there

  40. dhl_shipping_notification-internationalIDEPLLMTM.zip attacted
    Hello Dear,
    DHL Express Tracking Notification: Mon, 29 Jan 2012 11:38:52 +0900
    ________________________________________
    Custom Reference: 895-B906GDF2YUP1
    Tracking Number: ESVCTH-79631
    Pickup Date: Mon, 29 Jan 2012 11:38:52 +0900
    Service: GROUND
    Pieces: 1
    ________________________________________

    Mon, 29 Jan 2012 11:38:52 +0900 – Processing complete
    PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.
    Viurs in

  41. Neek says:

    hi, my dad downloaded the DHL “lost package” zip file and tried to open, it totally gave a Trojan Horse, deleted everything from home screen and program files, and kept getting error “card deck style” messages, I found your blog fix, and ussed a jump drive to save, then opened/downloaded in safe mode on this computer, now it works, however everything is gone, all files, there is nothing but the PandaCloud file, so i went back to F8, and clicked on last known config operating normally, and only my docs, my network, and IE shortcuts appeared, with no program files. IS THERE ANY WAY TO GET BACK ALL OF THE LOST FILES? I would appreciate any help, and no I did not back up anything before the anti-virus steps were downloaded. Thank you very much!!

  42. jackie sneed says:

    PLEASE LEAVE PACKAGE #7958122163 EVEN IF NOBODIES HOME DURING THE TIME THE PACKAGE IS DELIVERED. THANK YOU HAVE A BLESSED DAY.

Follow

Get every new post delivered to your Inbox.

Join 288 other followers

%d bloggers like this: