DHL tracking emails are back with new trojan variants

August 13, 2010 3 Comments

Since a few days, MX Lab is intercepting a new trojan variant in emails regarding a DHL delivery. The email coms from the spoofed address DHL Parcel Support <help.id990@dhl.com>.

Common subjects are:

DHL Delivery. Please get your parcel NR7883
DHL Delivery. Get your parcel NR7308
DHL Delivery. Get your parcel ID0290
DHL Delivery Service. Error in delivery address
DHL International. Your Parcel Number 0066
DHL Services. Get your parcel ID212
DHL Servise. Parcel number 3005
….

The body of the email:

Dear customer.

We were not able to deliver your package to your address!

Reason:” incorrect address “
Please pick up your package in local DHL office.
Scheduled Delivery: 21-August-2010

Attention!
The post label is attached to this e-mail.
We kindly ask you to print it and take it to the post office to pick up the package.

Thank you!

The trojan is known as TROJ_OFICLA.AMG (TrendMicro), Trojan:Win32/Oficla.V (Microsoft), W32/Trojan3.BXP (F-Prot), Mal/EncPk-AX (Sophos), Trojan.Oficla.AC (BitDefender).

The attached ZIP file is approx. 44 kB large and is in the format of: Print_label_ID347a.zip. Once extracted, an .exe file is present from the archive.

Virus Total permlink and MD5: 5d16e73e05c8e03325e6971781b0af78.

Filed under Viruses Tagged with , , ,

3 Responses to DHL tracking emails are back with new trojan variants

  1. Van Driver Jobs says:
    August 15, 2010 at 9:18 pm

    are they using different variants of the address so help.id990@dhl.com could be help.centre@dhl.com?

    Reply
    • mxlab says:
      August 18, 2010 at 11:32 pm

      We can only investigate the emails we intercept for our clients and from time to time we notice some differences in spam campaigns or virus distribution campaigns by email. So it is possible that the email address is changing however I can’t confirm it. You can however verify the email headers as well and check the sending and relaying email servers. If the message originates from DHL, the headers will clearly point to a DHL mail server. If this is not the case, handle the message as suspicious.

      Reply
  2. nathan says:
    November 9, 2010 at 10:27 pm

    i just got one , thefrom address was different it is “usps.no8264@dhl.com
    i was also wodering ( not that im going to do it ) but what would happe if i did download the attachment???

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 108 other followers