“DHL Express Services” – another trojan in the wild


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL Express Services”

The email is send from the spoofed address “DHL Global” with the email:

supportmop@dhl.com
supportmop1@dhl.com

We expect that more new spoofed email addresses will appear in the format like the examples, based on the previous campaigns, with a number before the @-sign.

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 DHL Express Services, Inc.

The attached ZIP file has the name dhl.zip and contains the 20 kB large file dhl.exe.

The trojan is known as Gen:Variant.Kazy.17907 (Bitdefender), Backdoor:Win32/Hostil.gen!A (Microsoft) or Trj/Sasfis.A (Panda).

The following files will be created:

%CommonAppData%\lpd2lf503886
%AppData%\lpd2lf503886
%Temp%\lpd2lf503886
%Templates%\lpd2lf503886
%AppData%\fip.exe

A new process is created:

fip.exe —> %AppData%\fip.exe

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

216.155.130.214
46.161.20.66

Data can be obtained from following URLs:

  • hxxp://tazejutyhyfu.com/1017000312
  • hxxp://puskovayaustanovka.ru/pusk2.exe

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 87d778169ae14d934b92ce628b5cfde4.

Analysis of the file pusk.exe:

The trojan is known as Gen: Mal/Behav-321 (Sophos), TrojanDropper.Mudrop.ozh (VBA32), FraudTool.Win32.FakeRean.b (v) (VIPRE)

This malware will create the files:

%CommonAppData%\lpd2lf503886
%AppData%\lpd2lf503886
%Temp%\lpd2lf503886
%Templates%\lpd2lf503886

A new process will be created:

jfe.exe —-> %AppData%\jfe.exe

It will modify the Windows registry and the trojan can establish connection 216.155.130.214 op port 80.

it will request data from hxxp://tazejutyhyfu.com/1017000312.

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2ac3a5bb8e7eb81cb306f869207eb69b.

15 Responses to “DHL Express Services” – another trojan in the wild

  1. paul says:

    Hi I opened this email and like a fool tried to extract it but avg picked it up is there any threat to my computer and what does it exactly do. i run a website called http://www.everythingbranded.co.uk and we service a number of clients and need it to be up and running 24 hours a day ? any advice would be very appreciated.

  2. Mimi8595 says:

    Probably the same virus already posted to this site under a different heading-
    http://blog.mxlab.eu/2011/03/27/%e2%80%9cunited-parcel-service-notification-48161%e2%80%9d-from-ups-contains-trojan/

    I suggest you peruse here as there are many posts to this one where people have stated what it has done, and how they are finding remedies…good luck!

  3. Andrew says:

    My wife double click the dhl.zip and now most of the program files in the computer are not working, can not connect to any browser and look like the registry is corrupted. Re-start the computer and most resident programs no more working.

    I am in overseas so can just brief check her computer over remote control software but look like the whole registry is corrupted. Search most AV sites and no solution found yet.

    The computer has AVG install but it did not pick up the virus.

    • Mr_Krol says:

      Poor schmucks are still using windows machines? Thats what happens when viruses roam free. But I wonder if a simple housewife is willing to switch to other OS than Windows.

  4. sehr geehrte damen und herren,
    danke sehr für die nachricht. leider kann ich gar nicht öffnen, gemäss der einfüge…
    dhl-zip , datei 6.78 KB. da können sie mir nochmals senden, in aller form…
    danke sehr für alles….und auch ihre mühe…..
    bitte etwas länger läuten.an der sonnerie oder natelanruf 004178 7780104.
    damit weiss ich ganz genau, wo sind sie…. danke sehr für alles…
    sie können in deutsch schreiben, aber muss es nicht. es wäre sehr froh…
    gerne warte ich ihre antwort…per email…
    mit freundlichen grüssen r. läubli, CH- 8123 ebmatingen

    —– Original Message —–
    From: DHL Global
    To: rl.pfuedi@ggaweb.ch
    Sent: Sunday, April 03, 2011 6:53 AM
    Subject: **** SPAM [ 34.652 ] **** DHL Express Services

    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 3 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    © 1994-2011 DHL Express Services, Inc.

  5. Bert says:

    adminsupport1@dhl.com its another mail it sends from

  6. Robyn says:

    Having purchased goods online in the last 3 days . I though it was giving me delivery instructions for them. Tried to unzip, luckily my BitDefender stopped them from opening. Phew!!!!!

  7. Beej says:

    Almost clicked on it, but I’d thought I’d google it just in case. Thank God. It’s going under the email administratordhl@dhls.com too, and 10 buisness days this time.

    Silly trojan bot.

  8. Pingback: Dhl Tools

  9. vinod says:

    Is there any way I can get a sample of this spam email?..

    Could one you you save the message it .msg format ( in outlook) and Zip it and upload it on http://www.webimmune.net for analysis and post the details on community.mcafee.com please

  10. Sana says:

    I recieved the same kind of mail but from yahoo id and when clicked on the folder it warned me not to open there is virus. and i recieved it on both my hotmail and yahoo acounts. and the mail sent to me was by the id express.delievery1@yahoo.com . and the msg is parcel sent at home add will recive in 10 bussines days.

  11. Steven says:

    I had stupidly opened up the attached file after receiving a ups notification. I assume this is a similar trojan to the DHL email. My computer is an old pentium 4 running windows xp pro and I’m ready for a new computer… I am not particularly interested in rescuing this old computer. I don’t really understand the design of the trojans but do they infect data files and Would it be safe to just back up word and excel files, jpegs, mp3, outlook contacts and transfer these to a new windows or apple machine.
    Thanks,
    Steve

  12. hacker man says:

    guys please send me this virus as zip file …. i have the solution >>> momo_jojo13@yahoo.com
    send it now please

  13. chrisnbowen says:

    Hi, as a ‘computer beginner’ I stupidly opened this virus yesterday and lost all my start menu and documents (space showing used on my dell C and D drives, but folders appear empty). I’ve run malwarebytes ad cleared 6 trojans found but still no start meu, no programmes or documents showing – please help!

Follow

Get every new post delivered to your Inbox.

Join 301 other followers

%d bloggers like this: