“United Parcel Service notification” from UPS contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “United Parcel Service notification

The email is send from the spoofed address “United Parcel Service <****@ups.com>” where *** is filled in with various combinations like:

infojs@
joiner2@
joiner22@
joisupport@ups.com
supportadm@ups.com
….

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 7 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

The attachedZIP file has the name UPSnotice.rar and contains the 16 kB large file UPS notify.exe.

The trojan is known as BDS/Hostil.F.9 (Antivir), TrojanDownloader:Win32/Chepvil.I (Microsoft), Mal/Bredo-K (Sophos), Backdoor.Cycbot (Symantec).

The following files will be created:

%Temp%\lol2.exe

The trojan can establish connection with the IP 193.105.121.33 on port 80 and data will be obtained from following URL hxxp://193.105.121.33/lol2.exe.

At the time of writing, only 20 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: cc040e69121bc19f23ef4a32dbb8a80e.

94 thoughts on ““United Parcel Service notification” from UPS contains trojan

    • I’ve received a few of these when checking my spam folder, just noticed the same thing from DHL too

  1. I received one today, and my mc afee did not detect it. But I google it and have deleteted it, did not open the attachment. Now doing a scan.

  2. Thanks for the info/confirmation.
    I got wise this time. Once bitten twice shy. I get these emails after making telephone or internet purchases with one particular company. This time, it was only to get a quote that including shipping costs. They were plugging in my details into UPS online while I was on the phone to them. Who’s system is compromised, the retailer or both UPS (this time) and UPSS (last time). Go figure.

  3. Just got hit, I am expecting a book for school so I opened it. FREAKIN SUCKS. Working on removing the Trojan now. I have had to do this so many times for past Trojan malware that everyone that gets hit with one calls me for help.

    On boot up, press and hold F8, you should get to select Safemode with network.
    Run full system scan from your AntiVirus software once boot up has finished.
    If you don’t have AntiVirus, download one at this point and run it.

    Oh ya, to the ones who get off on creating this crap, I have a life, why don’t you try getting one. If not, spend 50 cents and put a hole in you head.

    • i also got hit.
      i followed your advice running on safe mode [networking] and scanning my system. unfortunately, my antivirus [avast] did not find the virus. What antivirus did u use to clean the trojan?
      Any other information will be helpful.

      10x

      • Try using Malwarebytes as an added anti-malware scanner (if it won’t open, download it again, but rename it to another name (example, BBB.exe), since some viruses will try to stop you from opening it), and scan for rootkits as well.

  4. I’m from Italy and I received this trojan yesterday. The message is the same as usual:
    “Dear customer.
    The parcel was sent your home address.
    And it will arrive within 7 business day.
    More information and the tracking number are attached in document below.
    Thank you.
    © 1994-2011 United Parcel Service of America, Inc.”

    • Dear customer
      the parcel was sent your home adress .
      And it will arrive with in 7 days
      more information and the tracking number are attached in document below
      thank you

    • I was expecting a parcel from italy and rec’d exactly the same message. do i just t delete the message?
      thank you

  5. I’m fortunate; my mother actually works at a UPS and I know UPS employees. One of them told me that, for real packages, they’ll ship a letter only if the customer asks to send it, but that there was a scam running around, particularly for people who were not expecting packages. Beware, I got just a second file with a .zip file and the exact same body.

    Oh yeah, and the horrific grammar tipped me off. Seriously guys,how is it you know how to correctly duplicate the UPS copyright, but you can’t proofread?

  6. Our sophos exchange filters seem to be blocking this out before they hit our mailboxes, but we’re getting an awful lot of these, pretty much one destined for every user in our domain, i don’t want to block the UPS domain completely, and i can’t block by IP as it keeps changing on a message by message basis so what’s the best approach for stopping these landing in the first place.

    • er I know this is late but look at the headers for the messages they are NOT from the ups usps fedex ,sofore domains they are all spoofed….

  7. The McAfee latest version catches this trojan and Quarantines it.. McAfee also allows you to send the trojan etc to McAfee to evaluate and improve their AV programs.

    The .rar file in the email actually has 4 Trojans in it.. you need to make sure they are quarantined and removed. one of them is a .exe file that is to big to send to McAfee so be carefull.

    I am not sure if the Trojan is caught as soon as the email arrives or once an attempt to open the attachment done. Either way McAfee caught it.

    Good Job McAfee.

  8. Just got it, did not open noticed it was a zip in all my experience with ups they do not send zip files.
    Norton w/qwest did not catch it.

  9. received this, this morning……none of the virus apps caught it

    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 7 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    � 1994-2011 United Parcel Service of America, Inc.

    • norton missed it, but it was suspicious enough that i did not open it. Should I check the box to remove compressed files automatically? It is not the default setting apparently. Thank you for your service

  10. Just got this yesterday. Here’s the header:

    from: United Parcel Service
    sender-time: Sent at 7:21 AM (GMT-03:00). Current time there: 12:50 PM. ✆
    reply-to: United Parcel Service
    date: Wed, Mar 23, 2011 at 7:21 AM
    subject: United Parcel Service notification

    Oddly enough, I just ordered a couple things off eBay so when I saw this in my spam folder, I thought it might be a mistake. But I get notifications all the time from UPS at work and this looked nothing like what they send me. The strange wording and grammar threw it off too. Didn’t open the attachment, so no problems. Sounds like a nasty virus.

    • Yeah, that’s what I want to know. I do the same thing, unique address for each company I deal with, all @mydomain.com. I’ve been getting this virus spam mostly from one particular address with which I bought a fitness ebook and joined their forum. If it was somehow due to something on my end, I’d expect to be getting spammed at all my addresses, especially my main one that my friends send all their stupid forwarded emails to, but no, that one is still clean, so I have to suspect the business I bought from, but they of course deny any wrongdoing.

  11. ok… just got it. hotmail won’t let me open it. i buy from ebay a lot so i think there’s where they’re getting the addresses.
    thanks for the heads up!

  12. As my email was downloading this morning, a Norton window popped up saying,

    “Email Scanner detected Backdoor.Cycbot in your email. The security risk was removed.”

    The attachment was indeed removed, but the email message itself was still there. I don’t make purchases with that particular email address anymore other than the rare Paypal purchase. As it happens, I made 2 Paypal purchases within the past week.

  13. It came to my address today. twice. windows live mail chucked them in the junk. I’m expecting a ton of stuff from ebay and amazon but neither of them ever used UPS with me before , and I thought that to have details like tracking numbers and things come in a zip file looked a bit odd. A zip file? just to confirm a parcel was on the way?
    As others have noted, the wording and grammar is a dead give-away. Sorry, folks, but I reckon anyone who gets caught with this one didn’t really have their wits about them. It’s too bad that normal people who just want to get on with things have to be constantly on guard against this kind of crap.

  14. Will this Virus affect a Mac operating system? I clicked on it by mistake. So far so good, but I’m worried. Please advise.

  15. Ok I just got it too, this is a scam….

    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 7 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    � 1994-2011 United Parcel Service of America, Inc.

  16. I received multiple copies today. I’d like to know 2 things:
    1.) Who sold my email addresses, and
    2.) Who’s sending this junk out — anyone know?

  17. Hello, I received it in both my gmail and yahoo accounts. When I opened the email in my yahoo account I ‘downloaded’ the parcel slip but when it asked me to open up to the website I clicked no. Is it possible that I ended up getting the virus from downloading it? Again, it asked me to open up the website and I said no….thank you.

  18. I got that email a few minutes ago & unfortunately, since I’m expecting a couple packages from UPS I clicked it. My Sophos antivirus immediately quarantined and to be on the safe side, I’m going to run Sophos again and maybe malwarebytes as well

  19. yes..me too .i also received two today,sometimes four or more.but i couldn’t open the attachment in document and the tracking number

  20. Yeah had a few of these in the organization i work for… removed it using malware bytes. Run a full scan and delete the networking profile created locally, and have end user login with a freshly created profile.. fixed the issue.

    • Malware bytes detected am quarantined the Trojan, but am unable to open my applications and programs, i have to open as administrator before they are able to open.
      You got any solutions for me?

  21. Received this today. Defender Plus and McAfee didn’t find it, bul e-mail server caught it. Don’t people have better things to do?

  22. I just received one today. similar to others. sent from adminsuppo2@dhl.com. thanks for posting this, as i almost opened the attachment! dang scammers- why don’t they do something productive with their time, like find a cure for cancer or volunteer or join the military!

  23. The big clue this is trouble is in the body of the email message. The proper use of the English language is not present. This tells me it is coming from Eastern Europe, probably Russia, because there is no word for “is” inthe Russian languqge.

  24. Hi All, Well they are still at it as of march 27. I believe in Karma. Wish I was there when these scammers get what they deserve! Every one have a Great Day 🙂

    • Same here 🙂

      Treat people the way you yourself want to be treated. That’s how i live my life.

    • hello mxlab, I clicked on this link and read through it – great work! – however I noticed that Jim had a reply to his question on 3 April, yet on 16 April he wrote that nobady had replied yet..(?), and so I tried to put a comment in but the site wouldn’t accept one, and bottom of my screen said “error on page” (I get that a lot anyway). So I was wondering how come Jim didn’t get the reply that was posted for him by Avi 3April?..
      Thanks for this site,
      cheers

  25. Can UPS not do anything about this? Fortunately, I was able to find resources on the internet to remove it. A bit of hassle though, having to edit the registry

  26. also i was expecting an item on ebay dumb enough to think it will come from an american posting service although i live in australia!

  27. Thanks, i got this mail and it looked suspicious. And now with blog i confirmed it! thanks Man!!

  28. This mail appeared in my spam folder. I was suspicious (esp since it was the day after my birthday that i got it) and deleted it right away. Although it won’t harm my mac, I still did not want to risk any chances, especially since some of my family uses windows. I hope karma bites these scammers in the butt. >.<

  29. Hi,

    I’ve received this email for about a week now to personal and completely unrelated work email addresses. This is becoming very very annoying. Lucky for me I have a Mac so can’t run .exes lmao

  30. thanks guys for the information thanks to you all i was just going to download the attachment … love you all

    bye

  31. Just got the e-mail. Thanks for the info before I opened. Didn’t look legit. Much love!

  32. Got bit big time with this one today. Expecting package…scanned the unopened attachment with MicroSoft Essentials after dragging file to the desk top and Bingo I was “had” without even opening the attachment.

    Did a safe mode restart, and scan with Malwarebytes to remove it.

    This one wouldn’t allow Malwarebytes to run under normal Windows 7. I didn’t try and rename Malwarebytes file to see if it would run.

    My daughter also expecting UPS package opened it and her husband did a system rebuild F10 and ended up destroying all their data including 2000 family pictures.

    Lessons learned the hard way!!

    • Hello Gerry, I’m sad to hear of anyone who loses their family photo collections; actually, it infuriates me. Although it’s a bit late in your case, I’d like to suggest to you and to everyone who have important documents and photos that they really want to protect, the answer is very simple. What I do is keep all my important personal files on a separate harddrive and only plug it in to my computer when I want to work with them or just enjoy my photos. That way, no matter what happens to my computer – even if it blows up or something – my files are safe. Files I frequently use, I keep on a couple of 8-gig thumbdrives, which are better than cd’s, (which can deteriorate with time.) I have all my photos from my overseas trip safely on two thumb-drives as well as my external hard-drive. I keep backups all over the place!
      Best wishes ….

  33. Hello,

    I received it in hotmail. I clicked the attachment to open it because I was expecting something from ups. The next step was to unzip it, and my hotmail asked me whether I really wanted to do that. I decided NOT to unzip it. I forwarded it to the ups security email address, and ups immediately responded, telling me that it was NOT from them. So I deleted it.

    QUESTION: Is there any chance that I may have downloaded a virus to my windows computer as a result of clicking the attachment but NOT doing the second step of unzipping it? Thank you in advance for any response.

    Jim

    • Hello Jim, I think the answer to your question is that as long as you keep it safely zipped up it can’t touch you. I’m open to correction if I’m wrong, but it seems to me that being in a zip file protects it to some degree from AV programs detecting it, so a file that’s zipped is kind of insulated both ways, and it can only work its mischief once it’s free of the zip. So, you are safe, my friend.
      Cheers.

  34. A variation – I didn’t open it in Windows Live but checked the source code and it the text was saying that a parcel had been held in Spain and to pay 121 Euros to release.

  35. I had a feeling that this was some sort of trojan spam. I’ve gotten a few of these over the last couple weeks. Unfortunately, I ALMOST clicked these open, as I’m currently waiting on a few packages from UPS at the moment lol. The first one like this I received claimed it was from DHL, and I’ve gotten others that say they’re from FedEx.

  36. I get these emails every day for the last 10 days. I knew it was spam because I’m not expecting any package through UPS. Thanks guys for posting these blogs.
    Rick

  37. i get at least one every day

    yahoo puts them stright into the spam folder

    but only the first e-mail i got had a virus that could be detected, since then if i click on download the norton antivirus scan just says no virus found

    but obviously theres the trojan inside

    mr x

  38. Thanks, I did open the UPS email, but not the attachment. I order stuff on line regularly, buy I noticed the email was sent to a lot of recipients & I did not order anything in the time period stated in the email. Whew!

  39. I received me too.! I HATE PEOPLE WHO DO THIS! Anyway,
    as another poster above me, nobody still reply to this:


    I received it in hotmail. I clicked the attachment to open it because I was expecting something from ups. The next step was to unzip it, and my hotmail asked me whether I really wanted to do that. I decided NOT to unzip it. I forwarded it to the ups security email address, and ups immediately responded, telling me that it was NOT from them. So I deleted it.

    QUESTION: Is there any chance that I may have downloaded a virus to my windows computer as a result of clicking the attachment but NOT doing the second step of unzipping it? Thank you in advance for any response. ”

    Please someone know the answer to this? If you downloaded the attackment it’s still infected even if you don’t unzip?

    Please reply! Thank you a lot to everybody!

    I hope that who create these things, should have A GOOD LESSION!

  40. Just received it today, live in California btw. Looked suspicious, i goggled it and here we are, Scam! Good luck everyone! People need to start doing more productive things than trying to scam people.

    United Parcel Service notification #5588
    From: infoyady@ups.com

    Good day,

    The parcel was sent your home adress
    And it will arrive within 7 business days

    More information and the parcel number
    are attached in document below.

    Thank You
    Copyright © 1994-2011 United Parcel Service of America, Inc. All rights
    reserved.

  41. I received it today and like an idiot i opened the document… what should i do?
    i have a mac… when i clicked on the attachment it automatically downloaded the document. I never opened the document, but i deleted it out of my download folder right away…

    • This wouldn’t pose a problem since it is a WIN 32 executable, not Mac (even if Macs are on Intel’s nowadays).

      I always find this funny when I receive a stupid spam like the fake UPS email:

      “Dear Customer

      The parcel was sent your home adress.
      And it will arrive within 3 buisness days.”

      First, my name is not “Customer” and secondly, “address” takes 2 D’s. That’s a mistake big corporations wouldn’t do!

      ….BUSTED!! and ……DELETE!!

      SystemCrash

      • FYI

        *.exe files are not meant to be opened ONLY on INTEL processors. They are windows native executable files and are PLATFORM (as in hardware not OS) INDEPENDENT.

      • I had an identical one in yahoo.co.uk account this morning. Am not expecting any parcel from anyone. Was not going to acknowledge the errors in the e-mail, but SystemCrash has spilt half the beans anyway, so here’s my halfpenny worth too: ‘buisness’ doesn’t read quite right either, does it?

        Agree with all the comments from angry and frustrated people who receive this crap, and my sympathies go out to Gerry (30th March) and anyone else who loses precious files and/or work because of the criminal actions of a bunch of useless jobsworths.

        Was going to send info about this scam to UPS but from previous comments it looks like that they know about it already. What are they doing to help eliminate this misuse of their name, anyone know?

        Take care, and best wishes, everyone.

  42. I just got one this morning! But thankfully I didn’t open the attachement…I read the bad grammer “A parcel was sent YOUR address…”Also checked all the other people it was sent to….DELETED!

  43. Oh wow I received the same exact e-mail on my spam folder.
    It seemed suspicious, I didn’t open the attachment but I googled it. Good.

  44. i get a lot of such email ####@ups.com. i think the email is from the ups.com staff! domain registrar should banned the ups.com domain!

  45. Retraced originating ip’s on some of the mail i got in my spam (i never get caught by scams like this), it seems the majority of originating ip’s are registered through
    Name Latin American and Caribbean IP address Regional Registry
    Handle LACNIC
    Street Rambla Republica de Mexico 6125
    City Montevideo
    State/Province
    Postal Code 11400
    Country UY
    Registration Date 2002-07-27
    Last Updated 2007-01-09

    —-
    There others but this comes most often when i do a reverse trace on the originating ip’s so i’m inclined to think the one(s) behind this are from latin america. They are rerouting through other servers/proxy’s to end up in your mail but i don’t think their using anonymous proxy’s because the trace would never give me the same originating ip registry on 5 mail ip addresses (i got a bunch of them in my spam although i never buy on the web with my official email so amazon and ebay doesn’t apply to me).

    I’m not certain though, gotta keep digging, in the mean time, DON’T OPEN THE ATTACHMENT.

  46. I got this email. But mines was a little different exactly the same expect instead of seven it was three days. Thankfully I live in the uk.

  47. I just receivced an email in my regular inbox from UPS, inc with a delivery notification attached it to. I am not expecting a package from anyone. I deleted it. I’m 99% sure it contains a trojan.

  48. I been receiving these emails for a couple of months and just got one this morning and it also says 3 days.but i didnt open them,I am from Australia ,thanks guys for the info

  49. Got one around 2:00 in the morning, I thought, I never ordered any package, looked it up and now I’m not opening it. I thought it was a little suspicious that it was in the spam folder. Thanks for the info though!

  50. I got this mail too, I’m from Sweden… So it’s still circulating. Agree with cmt – thank goodness for google. But I have a mac so I guess I don’t really have to worry anyway.

  51. I have been getting both UPS notifications from support 5, info 6, etc, and also a lot of uniform traffic tickets from NY state, which I’m guessing is pretty much the same trojan

  52. I have 4 mails.. but it went to my Yahoo Spam folder..I thought to Google and check before opening.! Thank you Yahoo(to forwarding to Spam folder) and Google and off course all you people to this Blog.

  53. Just had this and what stood out was a .zip file from UPS and reading it it refers to their post office which they never refer to depots as post offices, message recieved below, if ever in doubt don’t open it before checking google at least, well done to the original poster of this thread.

    The courier company was not able to deliver your parcel by your address.

    Cause: Error in shipping address.

    You may pickup the parcel at our post office.

    Please attention!
    For mode details and shipping label please see the attached file.
    Print this label to get this package at our post office.

    Please do not reply to this e-mail, it is an unmonitored mailbox!

    Thank you,
    UPS Logistics Services.

    CONFIDENTIALITY NOTICE:
    This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

  54. Somebody at my work downloaded the zip and double clicked on the .exe

    now in the task manager there are random IE applications running (but can’t be viewed).

    How do I remove this? I’m going to restart this computer in safe-mode and run malwarebytes. Will this get rid of the trojan?

    Any help would be greatly appreciated.

Comments are closed.