The possible subjects are (numbers are random):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The email contains the zip archive upsinvoice3325037.zip, once extracted the 36 kB large file UPSINVOICE.exe is available.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

The following modules will be loaded into the address space of other process(es):

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

The trojan can establish a remote connection with the following hosts on port 80:

85.87.17.230
89.149.202.142
95.211.27.238

Data will be requested fromt he following web sites:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

Virus Total permlink and MD5: 493c929efe366812cd6fc921c2b549fc.

MX Lab intercepted a  few messages, with the zero hour anti virus system, that claim that the delivery of the postal package that is handled by UPS has failed due to an incorrect address. At the time of writing, 03.02.2009 22:55:45 (CET), only 7 of the 38 anti virus engines detect this new variant.

The trojan is named TrojanSpy.ZBot.DGI (VirusBuster), Trojan-Dropper.Delf (Ikarus) or VirTool:Win32/DelfInject.gen!J (Microsoft).

The from address is spoofed and contains “United Postal Service <tracking@ups.com>”.

The message contains the following body content:

Hello!

Sorry, we were not able to deliver postal package you sent on February the 23th in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The trojan hides itself inside the file Invoice_8612112.exe once you have extracted the ZIP archive Invoice_8612112.zip. Names and numbers may vary.

It has the same characteristics as in one of our previous blog posts with the difference that the connection to the remote host 91.211.65.33 now tries to get /ejik/admin.bin and /ejik/hot.php.

Virus Total permlink and MD5: a3d1a160e6ce8ca4c2b4421731e549c2.

Update 10 March 2009: A new variant is being distributed. The attached file is named UPS_ID.zip and contains the trojan UPS_ID.exe.

Virus Total permlink and MD5: b5e44647bc1f08c4d7f32fc933db1ac6.

MX Lab was the first to send and analyse the file by Total Virus. Only 2 of the 36 AV engines at Virus Total did detect the trojan at the time of writing. So be aware that this email contains malware so don’t open the attachment.

The senders email addres is: United Postal Service <tracking@ups.com>.

The subject is: Delivery problems

The content of the body:

Hello!

Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The file attached is names UPSInv.zip and the ZIP archive contains UPSInv.exe.

Please note that the senders email address, the subject, body and attached file names can change.

This is the Trojan-Spy.Zbot.YETH, which is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

Virus Total permlink and MD5 hash: 61a1617ddb5c5bdb495b29bd1719e965.

Contract of settlements
Contract of retirements
Permit for retirement
Loan contract

The contents of the message:

Dear customers,

We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract. If necessary, we can send it by fax. 

Looking forward to your decision.
Israel Bender

Virus Total permalink and MD5 hash: c0a907c8bf64d60bec0cce934ca60a34

The new variant is detected by 13 of the 35 anti virus engines at Virus Total. The MD5 hash is 488d34cd86e252abca560416413a595d.

Also, if you receive an Hallmark E-Card as attachment it’s also another variant of a Trojan-Dropper.Win32 also known as W32/P2Pworm.E.worm or Trojan.Delf.Inject.F. The chances for infection are much less, 24 of the 35 engines provide protection, so there’s a good chance that it’s captured.

When reading the comments on this blog and also on other resources and web site, I am amazed how many people have double clicked the attachment and have indeed infected their computer.

Now, a very simple tip for the future that is also mentioned on some other web sites as well is don’t open attachments without checking the content and senders first. Handle each email with attachments carefully and don’t start to extract them and click on executables and files with exotic extensions.

Large companies like UPS, Hallmark and others don’t send you an executable in a zip file. So this is something that you should be aware of. This is the first “red light”.

UPS tracking is done online on their web site and after all, think about it, a message stating that a delivery from July the 1st can’t be delivered while we are in fact July 23 is not a very good UPS service, right?

For Hallmark e-cards you also need to visit their web site to get your lovely e-card.

Following this simple guideline can avoid troubles of getting an infected computer. This applies for everyone. If you work from home, you are an individual, you are in a business environment, it’s a good tip for everyone.

Now, if you have a business with employees and multiple workstations, servers and computers and you have an infection on your network then you might ask yourself if your anti virus protection is up to the task of providing protection after all. It appears that it is not.

You are missing a good protection on the internet perimeter that is capable of responding faster to email based threats like viruses and trojans.

In that case, let me promote my company for once, contact MX Lab, get a 15 day trial of our zero hour anti virus and anti spam security services and notice the difference.

The email itself remains the same but the attachment name contains now a tracking number like UPS_INVOICE_978172.exe.

The .exe is a new variant and when submitting an example to Virus Total only 3 of the 34 anti virus engines detected this new variant. More details below in the table.

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.21.1	2008.07.21	-
AntiVir	7.8.1.11	2008.07.21	-
Authentium	5.1.0.4	2008.07.21	-
Avast	4.8.1195.0	2008.07.21	-
AVG	8.0.0.130	2008.07.21	-
BitDefender	7.2	2008.07.21	-
CAT-QuickHeal	9.50	2008.07.21	-
ClamAV	0.93.1	2008.07.21	-
DrWeb	4.44.0.09170	2008.07.21	-
eSafe	7.0.17.0	2008.07.21	Suspicious File
eTrust-Vet	31.6.5971	2008.07.21	-
Ewido	4.0	2008.07.21	-
F-Prot	4.4.4.56	2008.07.21	-
F-Secure	7.60.13501.0	2008.07.21	Suspicious:W32/Malware!Gemini
Fortinet	3.14.0.0	2008.07.21	-
GData	2.0.7306.1023	2008.07.21	-
Ikarus	T3.1.1.34.0	2008.07.21	-
Kaspersky	7.0.0.125	2008.07.21	-
McAfee	5343	2008.07.21	-
Microsoft	1.3704	2008.07.22	-
NOD32v2	3284	2008.07.21	-
Norman	5.80.02	2008.07.21	-
Panda	9.0.0.4	2008.07.21	-
PCTools	4.4.2.0	2008.07.21	-
Prevx1	V2	2008.07.22	-
Rising	20.54.02.00	2008.07.21	-
Sophos	4.31.0	2008.07.21	-
Sunbelt	3.1.1536.1	2008.07.18	-
Symantec	10	2008.07.21	-
TheHacker	6.2.96.385	2008.07.20	-
TrendMicro	8.700.0.1004	2008.07.21	-
VBA32	3.12.8.1	2008.07.21	suspected of Malware-Cryptor.Win32.General.2
VirusBuster	4.5.11.0	2008.07.21	-
Webwasher-Gateway	6.6.2	2008.07.21	-

The file contains threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

On an infected computer the trojan will create a new files like %System%\ntos.exe, %System%\wsnpoem\audio.dll, %System%\wsnpoem\video.dll and creates a new directory %System%\wsnpoem.

It also adds and modifies entries in the Windows registry and make connection with a server for http://*********.ru/******/odessa.bin. It opens random TCP ports in order to provide backdoor capabilities.

Update 10:00 AM Belgian time:

The MD5 on Virus Total is da4b7ef93c588ad799f1a1c5afb6cfad and the trojan is now detectedby 12 virus engines. Permalink: http://www.virustotal.com/

The messages contains the text:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

The messages includes an attachment ups_invoice.zip which extracts the ups_invoice.exe file.  This file contains a trojan known as W32/Agent.HFN by F-Prot. We couldn’t resist to submit this file to Virus Total and to see how many signature based anti virus engine will detect this malware. This time there where only 8 of the 34 anti virus engines detecting the trojan.

Here are the complete results from Virus Total:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.17.0	2008.07.18	-
AntiVir	7.8.1.11	2008.07.20	-
Authentium	5.1.0.4	2008.07.20	W32/Agent.HFN
Avast	4.8.1195.0	2008.07.20	-
AVG	8.0.0.130	2008.07.19	Dropper.Generic.VGK
BitDefender	7.2	2008.07.20	-
CAT-QuickHeal	9.50	2008.07.18	-
ClamAV	0.93.1	2008.07.20	-
DrWeb	4.44.0.09170	2008.07.20	-
eSafe	7.0.17.0	2008.07.20	Suspicious File
eTrust-Vet	31.6.5966	2008.07.18	-
Ewido	4.0	2008.07.20	-
F-Prot	4.4.4.56	2008.07.20	W32/Agent.HFN
F-Secure	7.60.13501.0	2008.07.20	Suspicious:W32/Malware!Gemini
Fortinet	3.14.0.0	2008.07.20	-
GData	2.0.7306.1023	2008.07.20	-
Ikarus	T3.1.1.34.0	2008.07.20	Trojan-Dropper.Win32.Delf.aef
Kaspersky	7.0.0.125	2008.07.20	-
McAfee	5342	2008.07.18	-
Microsoft	1.3704	2008.07.20	-
NOD32v2	3282	2008.07.19	-
Norman	5.80.02	2008.07.18	-
Panda	9.0.0.4	2008.07.20	-
Prevx1	V2	2008.07.20	-
Rising	20.53.62.00	2008.07.20	-
Sophos	4.31.0	2008.07.20	-
Sunbelt	3.1.1536.1	2008.07.18	-
Symantec	10	2008.07.20	-
TheHacker	6.2.96.385	2008.07.19	-
TrendMicro	8.700.0.1004	2008.07.18	-
VBA32	3.12.8.1	2008.07.20	-
VirusBuster	4.5.11.0	2008.07.19	Packed/Pohernah
Webwasher-Gateway	6.6.2	2008.07.20	Win32.Malware.gen#ASPack (suspicious)

Again, this is showing the importance of a zero hour anti virus protection like MX Lab is offering.