New FedEx Tracking number trojan outbreak

MX Lab has detected and intercepted a new outbreak of the FedEx Tracking number trojan. It appears to be a variant

 Subject is now “FedEx Tracking N_2545362053” – where the number is random. The From address is spoofed and is not an official FedEx email address. So this email is easy to detect and when looking at the email from and body you should be able to identify this as suspicious.

The messages contains:

Unfortunately we were not able to deliver postal package you sent on August the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office


The attached malware is in a zip file named and contains the executable with file name WD6128922.exe.

As a reminder, FedEx will never give you tracking information in this way. All tracking regarding shipments is done on their web site. And if something went wrong, FedEx won’t send out an email with a Zip file attached.

The file is submitted to Virus Total at around 1:30 PM CET. MX Lab submitted the file for analysis around 9:17 PM CET and only 9 anti virus engines detect this variant. So be carefull not to open the zip file and especially don’t start the executable. Virus Total permalink and MD5: df73c2b3562ef157c10ba1a16b4c8885.

17 thoughts on “New FedEx Tracking number trojan outbreak

  1. Got this one today and it was easy to identify that the message was a fraud. When I tried to forward the message to quarantine and inspect it further It would not show up for some reason (I was sending it from one mailbox to the ohter on the same server). When I deleted it off the original account, it was gone, and their wasn’t a copy in the trash folder.

  2. I did the unthinkable and downloaded this zip file. Now what? The virus keeps me from opening any executable files with the exception of MS Office. Is there any way to reverse or clean this without doing a complete reinstall?

  3. Someone in my office got this email and it opened in thier preview pane in outlook. they say they didn’t open the attachment but now they are locked out of everything. AVG which was up to date as of yesterday is not finding it. any help?

  4. I have today 21st August received a message identical to the above. it contained a zip file which I have now deleted without opening it. the sender’s address is Helena Pruitt []

  5. A coworker of mine also just got this virus. It says her account is now locked and she can’t do anything, even in safe mode. Anyone with tips???

  6. you are shutdown automatically if you use safe mode regular. Go to safe mode w/ command prompt and then start explorer from the command prompt and work on virus removal from there.

    Turn off system restore.


  7. I use fedex once in 5 years. I want to know how this person knew I took a package to fedex. The virus either came from an employee or they have the weakest security. Fedex doesn’t even care when you call customer service. They said I’m not allowed to forward the email to their fraud department because they don’t want to get the virus. Done with fedex!

  8. Everyone is a potential candidate to receive viruses like this, or even spam, wether you have used the FedEx services in the past or not.

    The virus did not come from FedEx or a FedEx employee. We have investigated the messages and the headers don’t match towards any FedEx computer.

    You don’t have to call/mail FedEx because they can’t do anything on this virus distribution. They aren’t responsible for this and they can’t stop it either. And yes, you don’t have to forward viruses. It’s like you are going to spread a virus yourself this way. I’m sure that FedEx will intercept the virus message before it arrives. But after all, it’s not a good idea.

    So don’t blame FedEx for this.

  9. I too believe that someone at FedEx is the virus distributor because how would they have known that our first delivery was lost and the company was going to send us another delivery by FedEx (all phone conversation) and to watch for E-mail having the tracking number on it. We were expecting to receive an E-mail with a tracking number in it and the message about not being able to deliver the first time around fit our situation to a tee. This company had to have spoken to FedEx. Once this virus hit our PC, we tried to buy the XP Anti Virus 2008 software to fix the problem not realizing that this was fictious software that is part of the virus. Now we have to cancel our credit card since that information was given out. Our McAfee software has not been able to fix the problem. This virus keeps coming back upon start up. Isn’t there anybody out there that has a sure fix to this?

  10. Yeah right, FedEx is sending you a virus. Get your facts straight. No offense.

    “We were expecting to receive an E-mail with a tracking number in it and the message about not being able to deliver the first time around fit our situation to a tee.”

    A tracking number is just a number and if FedEx is sending this by email you just receive an email with a number inside – no zip, no executable.

    FedEx won’t send you an email with a tracking number compressed in Zip archive that contains an executable. For using a tracking number you don’t have to run an executable.

    Provide us with some proof and we will revise our statement in the previous comments. Without proof please, don’t post such stupid comments on this blog. Think twice before making such statements and accusations.

    If you further on installed XP Anti Virus 2008 and buy this with your credit card on a web site that you could assume that your credit card could be compromised and you have a second problem installed on your computer.

    Maybe this can help:

    If not, I really recommend you to backup some important data, disconnect the computer from the local network and internet connection (to avoid further distibution) if present and reformat and reinstall your computer.

    In the future, just don’t open attachemnts from unknown sources. The from address wasn’t a FedEx one and is a spoofed emailaddress. This is the first red light and should make you think that the email can be dangerous.

  11. I also knew something was wrong with it when it came to my inbox. I don’t use FedEx. I saved it to desktop, scanned it with AVG, and got rid of it. Beware, and good luck.


  12. “Spybot Search and Destroy” can remove enough of it to allow you to change your wallpaper again.

    It is a coincidence that you recently used Fed-Ex. Our mail server, Anti-virus, and Spam software did not recognize there was a problem. We had to manually enter the email details to block them, and we then stopped about 30 of these over the past week, only four of those employees use FedEx.

    The employees who say they did not click on the attachment? This is not a self-deploying package. One must ignore the obvious errors in the email syntax, unzip the attachment, and then run the executable. Education (and SURBL) is our greatest defense.

  13. To those who think FedEx must be involved because they knew you sent a package. The sender DID NOT know you sent a package. I got the email and I haven’t sent a FedEx package in years. They send the same email to everyone in a mailing list and a certain percentage of the recipients, like yourself, will have sent a package but they have no idea who on the list that will be.

  14. It should be noted that the zip file and the exe are not always named and WD6128922.exe. In my case the zip file was: and the executable was: FIK76618922.exe. The sender address was “Leona Cardenas”.

  15. Also, looking at a hex dump of the file, my guess is that this program replaces comctl32.dll a component of the operating system used by most programs to communicate with the user.

    This is the email address that you would receive an update or any tracking information from. Any kind of delivery exception will come from here. NOWHERE else. I work in FedEx Tech support Have for 2 years and I receive those same spam emails as all of you. Its simple if you dont know the sender don’t open any attachments.

Comments are closed.