Emails from USPS with subject Your Postal Package N*** contains a trojan


MX Lab intercepts a new virus campaign regarding an undelivered package from a spoofed email address of United States Postal Service – USPS. In our case it was sent from Augustine Mcclain <Augustine _Mcclain@usps.com>. The subject is “Your Postal Package N6730622″ – the number will change randomly.

The set up is the same as the virus campaigns when spoofed email addresses from UPS, DHL, or FedEx where used.

The body of the email:

Good day,
Unfortunately, we could not deliver postal package sent 01 April,
As the recipient’s address does not exist.
Please, print out the bill of lading that is in the attached document, and collect your parcel in our office at the address indicated in the bill of lading.
Best regards,
Augustine Mcclain

Attached to the message is the ZIP archive Postal_p_N2355224.zip and once extracted we have the 40 kB large  file postal_p_N2355224.doc.exe.

The trojan is known as Trojan:Win32/Oficla.M (Microsoft) or trojan.Sasfis (Kaspersky).

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 174.120.228.122 and 193.105.174.108 on port 80 and retrieve data from:

* hxxp://www.brightspottech.com/loader_40.exe
* hxxp://hulejsoops.ru/images/bb.php?v=200&id=432227885&b=build001&tm=2

At the time of writing, only 4 of the 40 AV engines at Virus Total did detect the trojan so better be carefull at this time when you notice the message in your mailbox!

Virus Total permlink and MD5: e7316a1faeb6507f5684d76c189768ea.

35 Responses to Emails from USPS with subject Your Postal Package N*** contains a trojan

  1. Pingback: Emails from USPS with subject Your Postal Package N*** contains a trojan | Computer Security Articles

  2. harman says:

    i got same email today i post this mail header so ,for some one find the source and get that gay who send me this infected email()
    ———–i kill that virus completely by my prog. skill
    —————————————–Mail header——————————–
    Flag this message
    USPS Delivery Problem NR62906208
    Tuesday, October 5, 2010 10:39 PM
    From United States Postal Tue Oct 5 17:09:12 2010
    X-Apparently-To: harman_hj@yahoo.com via 67.195.8.133; Tue, 05 Oct 2010 10:09:33 -0700
    Return-Path:
    X-YahooFilteredBulk: 173.21.85.213
    Received-SPF: softfail (mta1277.mail.ac4.yahoo.com: domain of transitioning contact@usps.com does not designate 173.21.85.213 as permitted sender)
    X-YMailISG: zfLlbIwcZArD0Qh4L0jDHvGBAI_mFqc3goZPbk.DGDGKdIhM .OO0taNZWptYwAz0SAkiiLzbXplW0RNt11Y.XyMeR4rVHSmg8j1ESgtEXhps DO.XsVArRBq4BRjrbMf4V68_hpjMUSn23kkafqknOvrbBMlOCfW0beYoz0tO 4Bq3XXdtzXT0POIiiYZCs0.pF_b_rg2SrDAvJ.pLqWbVuFci27SVZnDFX7FK .RcoMZ5OD_G4iaTz.3wkLGZInFLufZq66ADGWHq_nu1eabH4Iz9Erf8Vjfh8 5h0A9.YZEpnkXRcVz0BRunP4C7.nLVbFC_uEypXwbcUVO2Us_N1_bpY4lI4R wrqsKXKK0CRi1IB.kX7lMYDV9izhSbLv.646OxKdWwJbWuM9bI58yeIzojpZ xTbYywreHp_ChlIPZtea8qedJZvVNYR9OBEhztQM3sHySgd0QC7YVEyRmlZS o0YGxXzN5xcuBtG4FcLEAIXTgkEc4.Raq8UeVXBOnP72XosX29YZVK3xvA–
    X-Originating-IP: [173.21.85.213]
    Authentication-Results: mta1277.mail.ac4.yahoo.com from=usps.com; domainkeys=neutral (no sig); from=usps.com; dkim=neutral (no sig)
    Received: from 127.0.0.1 (HELO usps.com) (173.21.85.213) by mta1277.mail.ac4.yahoo.com with SMTP; Tue, 05 Oct 2010 10:09:31 -0700
    Message-ID:
    From:
    “United States Postal”
    Add sender to Contacts
    To:
    Bcc: , ,
    Subject: USPS Delivery Problem NR62906208
    Date: Tue, 05 Oct 2010 13:09:12 -0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary=”—-=_NextPart_000_000D_01CB648E.80FC40A0″
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    Content-Length: 72617

    • stanley says:

      SERVICES PRINT USPS LABELS

      I print lables very quickly and cheep.
      USPS express labels
      Express Label : 1.2$
      Priority Mail : 0.9$
      send funds to : U5190475
      i’ll reduced if large amounts

      Pls contact me:
      Email :stanleyjensen12@gmail.com Yahoo ID : stanleyjensen12

  3. Dominic says:

    How stupid do I feel. I opened the attachment. However, I did scan it first and AVG did not detect a virus (I had just updated). On the plus side execution was stopped and the virus removed. On the down side once my system restarted all I see is a black screen with a “Computer” window i.e. I can see all the files on my drives, control panel, desktop etc, but I have no Start button or task bar.

    How do I restore the Windows (Vista) GUI?

    • Nathan says:

      You’re probably in “Safe Mode” which turns your screen back into a command user based interface instead of a graphics user based interface.

      When I restart my computer, it gives me the option of using either “Safe Mode” or something like “Start Windows Normally.” You want to click that.

      All this is assuming the virus hasn’t already corrupted your system and won’t allow you to go back. If that is the case, find someone with intense computer knowledge or hire someone from “Geek Squad” to help you.

      Hope this helps…

  4. Jen says:

    I received the following email in my spam box and didn’t open the attachment. I’m posting the contents here for others. Whenever I’ve had a package that the US Postal Service has been unable to deliver, my mail carrier leaves the standard note filled out and issued by the USPS in my mailbox or on my door. It seemed unlikely that they would 1. have my email address and 2. send such a ubiquitous email. Also, the paragraph of complete nonsense was attached to the end of the email. Weird.

    You need to get a parcel number 47244
    From: United States Postal
    UPS_label_ID1373.zip (26KB)
    ——————————————————————————–
    Good day.

    Your parcel has arrived at the post office on October 12.
    Our Driver was unable to deliver the parcel to your address.
    To receive a parcel you must go to the nearest UPS office and show your mailing label.
    You need to print mailing label, and show it in UPS office to receive the parcel.

    Thank you.
    UPS Services.

    In its arrangements may a lions share Of grateful thanks be given to our mayor, To whose untiring enterprise is due, The grand result which we now proudly view. What rich displays of scientific art, Applied to manufactures, form a part Of its instruction, and what mines of wealth Have they not sprung to minister to health. What triumphs of constructive power are here, What force in those huge engines doth appear, Which leagued with steam are conquering time and space And quickening intellect to giants pace. And see, yon granite structure towering high, As if earths wildest tempest to defy, Lighthouse of Eddystone, reared at Lands End, To storm-tossed mariners an angel friend! And fitting offspring of this noble tower, To shipwrecked mariners a priceless dower, Are those blest life-boats merciful to save Full many a sufferer from a watery grave. Yonder the graceful trophy, typical Of our fair Citys commerce, trade and skill, A not unworthy tribute to form part Of the worlds storehouse of constructive art.

  5. t says:

    trojan remover.

    it is a trojan so avg dont detect it.

  6. Edd says:

    hi every body i recieve in in my spam mails this letter today in teh morning with something like you describe here in this topic and had a file named Post_Express_Label_IVN78644.zip , of course i didn’t open i am sure is a virus o malwares , insisde of the compresed file an executable named: Post Express Label.exe , please becarefull with this kind of spam mails
    the sender addres is :
    Post Express (postmail-uin5862@tulsa.com)

    ——————————————————————————————————
    Dear client.

    Email notification ID 50209723

    Your package has been returned to the Post Express office.

    The reason of the return is “Incorrect delivery address of the package”

    Important message!
    Attached to the letter mailing label contains the details of the package delivery.
    You have to print mailing label, and come in the Post Express office in order to receive the packages.

    Thank you for your attention.
    Post Express Support

    • Bonnie says:

      I got almost an identical one to this, just from a different e-mail address. I’m glad I searched for it. I actually got it twice today.

  7. Mary Kremer says:

    My son got 2 emails from USPS saying your package will be delivered in 2-3 days. It had an attachment in the form of a zip file. Saying it was the tracking information. I tried to download it, all my downloads are scanned before downloaded for Virus. Here it was a virus. Anytime I had a package coming from anywhere and I signed up for tracking info through email, the tracking number would always appear in the email as a link, that you could click on and it would take you right to UPSP and giving yo all tracking info.

  8. DJ says:

    Dear Customer

    Your package has been returned to the Post Express office.
    The reason of the return is “Incorrect delivery address of the package”
    More information and the tracking number are attached in document below.

    Thank you for your attention.
    USPS Priority Mail.

    USPS Priority Mail is the one I had got today

    • Danielle says:

      I go this same exact message and I had just shipped a couple of packages a few days before. How do I get rid of this virus now?

      • Edd says:

        hi , i am so sorry about your infection, all you can do , is installa malwaresbytes or AVG , both are antivirus and spywares removal that you can use for free, and are a good tools to disinfect any laptop or pc. try it, i hope that can help you !!

  9. Jason says:

    I got it yesterday and opened the attachment. Everything was removed from the computer except that the c drive still has the memory remaining. But I can’t find anything. Also the hard disk is screwed.

  10. J.E. says:

    Got this email twice today. With two different tracking numbers. I did click the tracking link, but it said there was no tracking info. I’m on a Mac, so hopefully no virus.

  11. aaron says:

    somebody needs to start killing these people and there family’s

  12. Stephen DeLuca says:

    I got this today. I feel so stupid I opened it, realizing one click to late that of course the post office would never send me an e-mail. They leave a message on the door. Too late. Not sure what has happened. I think it is the directory, and not the files. I have two icons left (excel and word) and when they open I can find programs. But they don’t stay open long, and the computer reboots. When I go to the programs, all the folders are listed as empty. Any advice on fixing? I am going to take in the computer to the shop tomorrow.

    • mark says:

      just reload your operating system very easy but all data will be erased. you just start a fresh install.

  13. meagan says:

    I also realized one click too late that this was a Trojan. I download it, but did not open it. I then deleted it instantly. Am I okay, or should I take my computer into the shop?

    • mark says:

      just reload your operating system very easy but all data will be erased. you just start a fresh install.if you did not open attachment you are ok.

  14. michael says:

    Got it today. Did not open, as 1) the post office does not send emails, but leaves a notice in the mail box, and 2) the phrase “Your parcel has arrived at the post office on November 6″ is awkward syntax and not something the USPS would say, and 3) the email purported to be from USA Postal Service, which is not correct; it is US Postal Service. I get enough emails like this for the red flags to tell me that it was not legitimate. It was in my spam folder, so my email knows, too. Sorry about those of you who did open and now are having trouble. My only advice is that in the future read the message very carefully and decide if it really sounds like something that would come from the supposed sender. These malicious emails often originate in other countries and the syntax is not quite right. That is usually the first sign of a fake.

    • Gus says:

      The post office will email notifications, if requested. Btw, I received the bogus email, downloaded the attachment and attempted to unzip it. Fortunately, for me, Norton quarantined and removed the file: post_label.exe.

  15. Dave says:

    Like others said, I, too, opened it. My computer even asked if I wanted this supposed document to open my firewall. And stupid me said yes and then I realized what I had done. Microsoft Security Essentials didn’t find it, but super antispyware did find it. One part was in registry and the other part was in files. Sure hope it got rid of it all.

  16. M and R Lang says:

    We also opened it … came a week or so ago. Thinking it was from the U.S. Postal Service (USPS was in the header), we clicked on the link and the computer went crazy. Long story short, everything on the computer has been wiped clean. DO NOT OPEN ANY MESSAGES THAT SAY USPS Package Delivery Notification!!!!!!

  17. An Brown says:

    Today i received and email from USPS re: a package with a parcel number that I was to pick up, I guess. The email immediately caused me the distrust it. USPS has never emailed me for any reason, especially for a package in my name that I needed to pick up. Immediately I erased the email and then Googled this subject to see if there were others who have received the same. So glad I did not open the email. My instincts were accurate!!!!! An883

  18. Richard Middleton says:

    In my case the purported sender was “your-support@usps.com”.. This was so obviously bogus (that’s not how USPS notifies one of problems) that I simply deleted the message immediately.. Thank you everybody for your posts on this malware.

  19. Charlene Wolters says:

    Here’s another one came in my SPAM- From: USPS Post Office <item.989@usps and at the top the attention getter is "USPS service N2002"

    Says: Dear customer the parcel was sent to your home address and it will arrive within 7 business days for more information and the tracking number pleas download shipping label" and then there is the link to click on for the label.
    Now here is something weird has anyone ever highlighted this? There is hidden text so unless you highlight this spam you don't see it. Here's a few lines from it.
    "8 For, to the servants of God, there is but one repentance; and for this cause a man that putteth away his wife ought not to take another. . .
    This latter he did, not only by bringing forward a vera causa in the survival of the fittest under changing circumastances–about which the question among naturalists mainly is how much it would explain, some allowing . . . "

    As you can see it just rambles on. I knew something was up because I didn't order anything; but I was curious about the "within 7 days" thing so I wanted to hold onto this and see if someone "might of sent me something". But now seeing this I will delete it.

  20. Hendi says:

    I just recieved this kinda email too, I thought it was real because coincidentally I joining a giveaway contest with using an USPS deliver on it, how stupid I am :/

    sorry for my bad english anyway…

    • Edd says:

      Hello Hendi you are not stupid, only a victim of a threat in the future be more carefull when yopu open rares files or messages from USPS they generally don’t send emails, only if you request services from them .. No use an Antivirus and scan your whole PC-laptop, if you are a MAC users don’t worry about it : )
      Regards Edd

  21. Edd says:

    You are welcome Hendi

  22. Em says:

    Another round of these emails are circulating. I didn’t notice if there was an attachment since it was in my spam folder which suppresses attachments until I certify the sender, but the message said it was the USPS and came from the email address: no_reply-MC@durham.com.

    Stay computer safe.

  23. Marilyn Macdonald says:

    I too, opened the email and the attachment. I feel stupid, I should have known better. Anyway, my computer seems to work just fine accept when I turn on my wireless and begin to surf the web…then my computer just freezes up. I can’t even turn off the wireless. So I have to do a hard shutdown. Before I turn the computer back on I switch off the wireless by the side button on my laptop. When I turn the computer back on it runs fine…until I turn the wireless on. You get the picture. This problem does not sound like any of the others I’ve read on this site. I’m told that it will cost me 200 dollars to fix. Is that reasonable? The next question I have…I backed up the computer on an external hard drive, not realizing this could be a virus. Do you think the virus is on my hard drive now…and if so, can I just delete the files that were backed up to get rid of it?

  24. Rommy says:

    I can’t believe I fell for it! I’m on a Mac. I was really suspicious when I got the first one a few days ago and deleted it. Today, I am tired and not clearly thinking, I clicked the PDF link…YIKES. I didn’t open it and deleted from my downloads.

    I have read all the comments and see that as of Sept ’12 Macs had nothing to worry about.

    My question is, today, Feb 13, 2013, are Macs affected by the Trojan/virus?

    Thanks!

    • Edd says:

      Hello Rommy many user as me have had that email after pay online in USPS ,about your question you don’t have to worry about it , virus affecting windows Operating system can not damage MAC OSX system, because files those emails suspicious are .exe and are executable files that work in windows operating system , no in OSX system so you are safe but if you still have those files only delete it . It’s rarely see some virus affecting a mac osx but yes it is possible have a troyan/virus but they come in different way of executables files with different way instead of .exe file. you know you are infected from a virus when your laptop/desktop begin to act completely weird , web page opening by itself operating system it’s turning slow , when can not have connectivity to internet when everything is ok in your modem/router,weird direct access it’s appearing in your dektop suddenly , you delete files in then it’s back again etc. MAC OSX use .app as executable as example , keep away from any suspicious email that come in .app extension there are other extension that work in OSX operating system
      regards Edd

Follow

Get every new post delivered to your Inbox.

Join 317 other followers

%d bloggers like this: