MX Lab intercepts a new virus campaign regarding an undelivered package from a spoofed email address of United States Postal Service – USPS. In our case it was sent from Augustine Mcclain <Augustine _Mcclain@usps.com>. The subject is “Your Postal Package N6730622” – the number will change randomly.
The set up is the same as the virus campaigns when spoofed email addresses from UPS, DHL, or FedEx where used.
The body of the email:
Unfortunately, we could not deliver postal package sent 01 April,
As the recipient’s address does not exist.
Please, print out the bill of lading that is in the attached document, and collect your parcel in our office at the address indicated in the bill of lading.
Attached to the message is the ZIP archive Postal_p_N2355224.zip and once extracted we have the 40 kB large file postal_p_N2355224.doc.exe.
The trojan is known as Trojan:Win32/Oficla.M (Microsoft) or trojan.Sasfis (Kaspersky).
The following files will be created:
The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.
The trojan can establish a remote connection with the IP 220.127.116.11 and 18.104.22.168 on port 80 and retrieve data from:
At the time of writing, only 4 of the 40 AV engines at Virus Total did detect the trojan so better be carefull at this time when you notice the message in your mailbox!
Virus Total permlink and MD5: e7316a1faeb6507f5684d76c189768ea.